From 6ae4abab5c8bc6aea62ff2328bd1c8deb2107287 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 2 Apr 2026 15:31:14 +0530 Subject: [PATCH] fix: preserve HAB_AUTH_TOKEN through sudo and fix Windows hab PATH Linux/macOS: `sudo hab pkg install` was dropping the HAB_AUTH_TOKEN environment variable because sudo does not preserve env vars by default. The token was correctly set via `export`, but the hab process running under sudo never received it, resulting in 401 Unauthorized from Builder. Fix: use `sudo -E` to preserve the environment across all three `sudo hab pkg install` invocations (Linux build install, Linux download, macOS download). Windows: hab binary was installed to C:\ProgramData\Habitat but that directory was never added to GITHUB_PATH in the Configure Habitat step, causing subsequent steps to fail with 'hab is not recognized'. Fix: add C:\ProgramData\Habitat to GITHUB_PATH. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Nikita Mathur --- .github/workflows/grype-hab-package-scan.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/grype-hab-package-scan.yml b/.github/workflows/grype-hab-package-scan.yml index 0b76f5a..011bcb9 100644 --- a/.github/workflows/grype-hab-package-scan.yml +++ b/.github/workflows/grype-hab-package-scan.yml @@ -152,7 +152,7 @@ jobs: hartifacts=$(ls results/*.hart) if [ -f "$hartifacts" ]; then echo "Built package artifact: $hartifacts" - sudo hab pkg install $hartifacts + sudo -E hab pkg install $hartifacts else echo "Error: No .hart file found in results/" exit 1 @@ -189,7 +189,7 @@ jobs: PACKAGE="${PACKAGE}/${{ inputs.hab_release }}" fi - INSTALL_CMD="sudo hab pkg install ${PACKAGE}" + INSTALL_CMD="sudo -E hab pkg install ${PACKAGE}" if [ -n "${{ inputs.hab_channel }}" ]; then INSTALL_CMD="${INSTALL_CMD} --channel ${{ inputs.hab_channel }}" @@ -298,6 +298,7 @@ jobs: echo "HAB_LICENSE=accept-no-persist" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append New-Item -ItemType Directory -Force -Path "C:\hab\accepted-licenses" New-Item -ItemType File -Force -Path "C:\hab\accepted-licenses\habitat" + echo "C:\ProgramData\Habitat" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - name: Checkout code if: ${{ inputs.build_package == true }} @@ -582,7 +583,7 @@ jobs: PACKAGE="${PACKAGE}/${{ inputs.hab_release }}" fi - INSTALL_CMD="sudo hab pkg install ${PACKAGE}" + INSTALL_CMD="sudo -E hab pkg install ${PACKAGE}" if [ -n "${{ inputs.hab_channel }}" ]; then INSTALL_CMD="${INSTALL_CMD} --channel ${{ inputs.hab_channel }}"