Skip to content

v1.4.0 — forward cloud creds into box env + lease-TTL leak fix

Latest

Choose a tag to compare

@hsinatfootprintai hsinatfootprintai released this 09 Jun 02:14
b754031

Forward cloud credentials into the box env (#39, closes #19)

Box-CI roles that run inside the box and drive the cloud REST API now get credentials. The always-needed trio CONTAINARIUM_SERVER / CONTAINARIUM_TOKEN / CONTAINARIUM_ORG (org from the existing org-id input) is forwarded into the box's setup/test command env, plus a new optional multiline env: input (KEY=VALUE per line) for extras like a second org's CONTAINARIUM_TOKEN_PEER / CONTAINARIUM_ORG_PEER.

Done securely: secrets are written to a mode-0600 file (umask 077), scp'd over the existing channel, and chmod 600 on the box — never on the ssh argv (which would leak into the box process list and Action logs). Every value is ::add-mask::'d, the file is sourced before the command runs, and it's stripped on the keep-on-failure debug path so a debugger can't inherit the CI token.

Unblocks arming the Containarium-cloud actuation verifier (#192) and the Layer-4 per-org network-isolation sentry (#191) — the two remaining MVP verification gates.

Consumer usage

- uses: FootprintAI/containarium-run@v1.4.0
  with:
    server: ${{ secrets.CONTAINARIUM_SERVER }}
    token:  ${{ secrets.CONTAINARIUM_TOKEN }}
    org-id: ${{ vars.CONTAINARIUM_ORG }}
    env: |
      CONTAINARIUM_TOKEN_PEER=${{ secrets.CONTAINARIUM_TOKEN_PEER }}
      CONTAINARIUM_ORG_PEER=${{ vars.CONTAINARIUM_ORG_PEER }}

Lease TTL + heartbeat — no box ever leaks (#37, Containarium#526)

Every box is now born with a short birth TTL (default 20m) stamped right after create, renewed by a background heartbeat while the job runs, so a CANCELLED job or a runner that dies mid-run can no longer leak a box — it self-reaps within one window. Success still deletes immediately; failure still keeps for the debug window.

Full changelog: v1.3.0...v1.4.0