From 99fcc7b2a12a3895509ff680d8b72d80b2e210ab Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Tue, 17 Feb 2026 13:42:51 +0000
Subject: [PATCH] Check whether `value` is a URL in `checkEnvVar` and clear
 credentials

Note also that we run this after `getCredentials` which already instructs Actions to mask credentials that we know about in logs
---
 lib/start-proxy-action.js           |  9 ++++++++-
 src/start-proxy/environment.test.ts | 27 ++++++++++++++++++++++++---
 src/start-proxy/environment.ts      |  9 ++++++++-
 3 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
index dfd9f63fd..65447f393 100644
--- a/lib/start-proxy-action.js
+++ b/lib/start-proxy-action.js
@@ -121819,7 +121819,14 @@ var path3 = __toESM(require("path"));
 function checkEnvVar(logger, name) {
   const value = process.env[name];
   if (isDefined2(value)) {
-    logger.info(`Environment variable '${name}' is set to '${value}'.`);
+    const url = URL.parse(value);
+    if (isDefined2(url)) {
+      url.username = "";
+      url.password = "";
+      logger.info(`Environment variable '${name}' is set to '${url}'.`);
+    } else {
+      logger.info(`Environment variable '${name}' is set to '${value}'.`);
+    }
     return true;
   } else {
     logger.debug(`Environment variable '${name}' is not set.`);
diff --git a/src/start-proxy/environment.test.ts b/src/start-proxy/environment.test.ts
index 4fc9946a0..edcddab56 100644
--- a/src/start-proxy/environment.test.ts
+++ b/src/start-proxy/environment.test.ts
@@ -29,12 +29,16 @@ function assertEnvVarLogMessages(
   t: ExecutionContext<any>,
   envVars: string[],
   messages: LoggedMessage[],
-  expectSet: boolean,
+  expectSet: boolean | string,
 ) {
-  const template = (envVar: string) =>
-    expectSet
+  const template = (envVar: string) => {
+    if (typeof expectSet === "string") {
+      return `Environment variable '${envVar}' is set to '${expectSet}'`;
+    }
+    return expectSet
       ? `Environment variable '${envVar}' is set to '${envVar}'`
       : `Environment variable '${envVar}' is not set`;
+  };
 
   const expected: string[] = [];
 
@@ -145,6 +149,23 @@ test("checkProxyEnvVars - logs values when variables are set", (t) => {
   assertEnvVarLogMessages(t, Object.values(ProxyEnvVars), messages, true);
 });
 
+test("checkProxyEnvVars - credentials are removed from URLs", (t) => {
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+
+  for (const envVar of Object.values(ProxyEnvVars)) {
+    process.env[envVar] = "https://secret:password@proxy.local";
+  }
+
+  checkProxyEnvVars(logger);
+  assertEnvVarLogMessages(
+    t,
+    Object.values(ProxyEnvVars),
+    messages,
+    "https://proxy.local/",
+  );
+});
+
 test("checkProxyEnvironment - includes base checks for all known languages", (t) => {
   for (const language of Object.values(KnownLanguage)) {
     const messages: LoggedMessage[] = [];
diff --git a/src/start-proxy/environment.ts b/src/start-proxy/environment.ts
index c59db4ffd..17de418c3 100644
--- a/src/start-proxy/environment.ts
+++ b/src/start-proxy/environment.ts
@@ -16,7 +16,14 @@ import { getErrorMessage, isDefined } from "../util";
 function checkEnvVar(logger: Logger, name: string): boolean {
   const value = process.env[name];
   if (isDefined(value)) {
-    logger.info(`Environment variable '${name}' is set to '${value}'.`);
+    const url = URL.parse(value);
+    if (isDefined(url)) {
+      url.username = "";
+      url.password = "";
+      logger.info(`Environment variable '${name}' is set to '${url}'.`);
+    } else {
+      logger.info(`Environment variable '${name}' is set to '${value}'.`);
+    }
     return true;
   } else {
     logger.debug(`Environment variable '${name}' is not set.`);