Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: encode gh actions outputs #218

Merged
merged 1 commit into from
Oct 23, 2023
Merged

chore: encode gh actions outputs #218

merged 1 commit into from
Oct 23, 2023

Conversation

salasberryfin
Copy link
Contributor

@salasberryfin salasberryfin commented Oct 19, 2023
edited
Loading

What this PR does / why we need it:

GitHub detects outputs containing substrings that are part of secrets as insecure and blocks us from sharing them with downstream jobs. This is a proposal to fix this issue by double encoding outputs so that they are obfuscated. Then, these outputs are decoded in the signing/provenance jobs.

These outputs are not actually sensitive data but just the image location and, worst case scenario (user decodes the string output), this data is public anyway.

Which issue(s) this PR fixes:
Fixes #211

Special notes for your reviewer:

Checklist:

  • squashed commits into logical changes
  • includes documentation
  • adds unit tests
  • adds or updates e2e tests

@salasberryfin salasberryfin requested a review from a team as a code owner October 19, 2023 09:13
@salasberryfin salasberryfin force-pushed the encrypt-secret-outputs branch 13 times, most recently from fb0ce00 to a1fe525 Compare October 19, 2023 13:51
@salasberryfin salasberryfin changed the title WIP: chore: encrypt gh actions secret outputs chore: encrypt gh actions secret outputs Oct 19, 2023
@Danil-Grigorev
Copy link
Contributor

I think the better way to handle this is by using existing github tooling: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#workflow

@salasberryfin salasberryfin force-pushed the encrypt-secret-outputs branch 8 times, most recently from 183fc65 to e77f249 Compare October 20, 2023 14:24
@salasberryfin salasberryfin changed the title chore: encrypt gh actions secret outputs WIP: chore: encrypt gh actions secret outputs Oct 20, 2023
@salasberryfin
Copy link
Contributor Author

I think the better way to handle this is by using existing github tooling: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#workflow

The problem with this approach is that it uses an external secret store.

@salasberryfin salasberryfin force-pushed the encrypt-secret-outputs branch 3 times, most recently from 5889f5a to 3fd3062 Compare October 20, 2023 15:22
@salasberryfin
chore: encode gh actions outputs
dde8940 
Signed-off-by: Carlos Salas <carlos.salas@suse.com>
@salasberryfin salasberryfin changed the title WIP: chore: encrypt gh actions secret outputs WIP: chore: encode gh actions outputs Oct 20, 2023
@salasberryfin salasberryfin changed the title WIP: chore: encode gh actions outputs chore: encode gh actions outputs Oct 20, 2023
@salasberryfin salasberryfin merged commit fc55866 into rancher:main Oct 23, 2023
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@furkatgofurov7 furkatgofurov7 furkatgofurov7 approved these changes

@richardcase richardcase richardcase approved these changes

Assignees
No one assigned
Labels
kind/chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Release] Prod signing failing
4 participants
@salasberryfin @Danil-Grigorev @richardcase @furkatgofurov7