HyukjinKwon opened a new pull request, #48773: URL: https://github.com/apache/arrow/pull/48773
### Rationale for this change The dev workflow was writing `GITHUB_TOKEN` to disk (`dev/release/.env` file), which is a security risk. Even though GitHub Actions redacts secrets in logs, writing them to disk can expose them if the runner is compromised or debug artifacts are uploaded. Following [GitHub's official security guidance](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#good-practices-for-using-secrets), secrets should be passed via environment variables instead of being written to files or command-line arguments. ### What changes are included in this PR? - Pass `GH_TOKEN` via `env:` instead of writing to disk with `echo ... > .env` - Check `ENV["GITHUB_ACTIONS"]` to determine environment - In CI: read token from `ENV["GH_TOKEN"]` - Local dev: read from `.env` file (preserves original behavior for developers) ### Are these changes tested? Will be tested in CI at this PR. ### Are there any user-facing changes? No, dev-only. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
