From eabf60349346950549ed65f6beb018b4680f7968 Mon Sep 17 00:00:00 2001
From: Taiki Endo <te316e89@gmail.com>
Date: Sun, 19 Apr 2026 01:15:51 +0900
Subject: [PATCH] Add note about unset

---
 main.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/main.sh b/main.sh
index ea51be8b..e3310c45 100755
--- a/main.sh
+++ b/main.sh
@@ -494,6 +494,8 @@ token="${GITHUB_TOKEN:-"${GH_TOKEN:-"${DEFAULT_GITHUB_TOKEN:-}"}"}"
 # This prevents tokens from being exposed to subprocesses via environment variables.
 # Since the tokens remain in memory, setting `fallback: none` (which prevents the tokens from being
 # set in the first place) remains the best practice from a security standpoint, as readme says.
+# Note that this does not prevent token leaks via reading `/proc/*/environ` on Linux or
+# via `ps -Eww` on macOS. It only reduces the risk of leaks.
 unset GITHUB_TOKEN GH_TOKEN DEFAULT_GITHUB_TOKEN
 
 # Refs: https://github.com/rust-lang/rustup/blob/HEAD/rustup-init.sh