Stop relying on GITHUB_ENV for proxy TLS trust propagation

Copilot · lpcox · web-flow · commit d676b906c765 · 2026-04-17T22:48:35.000Z
Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/6579536c-4790-47dc-8c0c-eed5aaaf2030 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
diff --git a/docs/PROXY_MODE.md b/docs/PROXY_MODE.md
@@ -227,9 +227,6 @@ export SSL_CERT_FILE=/tmp/gh-aw/mcp-logs/proxy-tls/ca.crt
 export GIT_SSL_CAINFO=/tmp/gh-aw/mcp-logs/proxy-tls/ca.crt
 ```
 
-When `GITHUB_ENV` is present (GitHub Actions), `awmg proxy --tls` appends these TLS trust
-variables automatically for downstream steps.
-
 **System-wide (Ubuntu)**:
 ```bash
 cp /tmp/gh-aw/mcp-logs/proxy-tls/ca.crt /usr/local/share/ca-certificates/mcpg-proxy.crt
diff --git a/internal/cmd/proxy.go b/internal/cmd/proxy.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
-	"io"
 	"log"
 	"net"
 	"net/http"
@@ -328,28 +327,5 @@ func configureTLSTrustEnvironment(caCertPath string) error {
 			return fmt.Errorf("failed to set %s: %w", key, err)
 		}
 	}
-
-	githubEnvPath := os.Getenv("GITHUB_ENV")
-	if githubEnvPath == "" {
-		return nil
-	}
-
-	// Best-effort append: the proxy should still start even if GITHUB_ENV cannot be opened.
-	// Mode is intentionally 0 because O_CREATE is not used (existing runner-managed file only).
-	f, err := os.OpenFile(githubEnvPath, os.O_APPEND|os.O_WRONLY, 0)
-	if err != nil {
-		logger.LogWarn("startup", "Skipping GITHUB_ENV TLS trust export: open failed for %s: %v", githubEnvPath, err)
-		return nil
-	}
-	defer f.Close()
-
-	for _, key := range tlsTrustEnvKeys {
-		if _, err := io.WriteString(f, key+"="+caCertPath+"\n"); err != nil {
-			logger.LogWarn("startup", "Skipping GITHUB_ENV TLS trust export: write failed for %s (%s): %v", githubEnvPath, key, err)
-			return nil
-		}
-	}
-
-	logProxyCmd.Printf("Appended TLS trust environment to GITHUB_ENV: %s", githubEnvPath)
 	return nil
 }
diff --git a/internal/cmd/proxy_test.go b/internal/cmd/proxy_test.go
@@ -415,7 +415,6 @@ func TestConfigureTLSTrustEnvironment(t *testing.T) {
 
 	t.Run("sets trust environment variables in process", func(t *testing.T) {
 		assert := assert.New(t)
-		t.Setenv("GITHUB_ENV", "")
 		for _, key := range tlsTrustEnvKeys {
 			t.Setenv(key, "")
 		}
@@ -428,35 +427,8 @@ func TestConfigureTLSTrustEnvironment(t *testing.T) {
 		}
 	})
 
-	t.Run("skips GITHUB_ENV append when env var is unset or empty", func(t *testing.T) {
-		t.Setenv("GITHUB_ENV", "")
-		require.NoError(t, configureTLSTrustEnvironment(caPath))
-	})
-
-	t.Run("appends trust environment variables to GITHUB_ENV", func(t *testing.T) {
-		assert := assert.New(t)
-		githubEnvFile := t.TempDir() + "/github_env"
-		require.NoError(t, os.WriteFile(githubEnvFile, []byte{}, 0o644))
-		t.Setenv("GITHUB_ENV", githubEnvFile)
-		for _, key := range tlsTrustEnvKeys {
-			t.Setenv(key, "")
-		}
-
-		err := configureTLSTrustEnvironment(caPath)
-		require.NoError(t, err)
-
-		content, err := os.ReadFile(githubEnvFile)
-		require.NoError(t, err)
-		for _, key := range tlsTrustEnvKeys {
-			assert.Contains(string(content), key+"="+caPath+"\n")
-		}
-	})
-
-	t.Run("treats GITHUB_ENV write failures as best-effort", func(t *testing.T) {
-		if _, err := os.Stat("/dev/full"); err != nil {
-			t.Skip("/dev/full not available on this platform")
-		}
-		t.Setenv("GITHUB_ENV", "/dev/full")
+	t.Run("does not rely on GITHUB_ENV", func(t *testing.T) {
+		t.Setenv("GITHUB_ENV", "/path/that/does/not/exist/github_env")
 		require.NoError(t, configureTLSTrustEnvironment(caPath))
 	})
 
