-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add 'secret-opts' option to manifest #408
Conversation
ebb5065
to
29ff056
Compare
You prefer what for showing unresolved argument (I use OBS Studio CEF as an example):
Note: the quote are added by flatpak-builder |
4835f6c
to
ebe3e80
Compare
One use case we need to think about is how to handle projects that use |
I added Example: {
"name": "obs",
"buildsystem": "cmake-ninja",
"builddir": true,
"build-commands": [
"echo $CEF"
],
"secret-env": [
"CEF"
],
"config-opts": [
"-DCMAKE_BUILD_TYPE=Release",
"-DENABLE_WAYLAND=ON",
"-DBUILD_BROWSER=ON",
"-DUNIX_STRUCTURE=ON",
"-DUSE_XDG=ON",
"-DDISABLE_ALSA=ON",
"-DENABLE_PULSEAUDIO=ON",
"-DWITH_RTMPS=ON"
],
"secret-opts": [
"-DCEF_ROOT_DIR=$CEF"
],
"sources": [
{
"type": "dir",
"path": "../../"
}
]
} |
After somebody does some hands on testing I think this is good. |
Some applications have security tokens passed by their build system. In these cases, this option allow their use without distributing them in the bundle.
Like 'secret-opts' but meant to used with build-commands and post-install steps.
6f37692
to
e3cec57
Compare
I've tested this pull request with OBS Studio (which is where this use case steamed from) by modifying the manifest to this:
To buid, I first set some environment variables in my host system:
(I purposefully set these env vars to something that would break the build later on, so that we can be sure it's being propagated properly) Then I ran patches flatpak-builder:
The secret variables were not leaked by the build command:
The build went fine, and as expected it failed with the values I set to the environment variables:
So there you go, the evidence that this pull request is working 🙂 |
Meant to replace #406
Some applications have security tokens passed by their build system. In these cases, this option allow their use without distributing them in the bundle.
This PR add the new option
secret-opts
andsecret-env
.The first is meant to be used with build system like cmake and meson, the last is meant to be used with 'build-command' and 'post-install'.
The builder check for
secret-opts
with a$
+"env var name" showing which host env var shall replace it. The builder will replace them on the fly.If the env var doesn't exist or the
$
is missing, the option will be ignored.With this way, the bundle still contain the manifest and even show that this bundle have secrets.
It's mainly meant to be used with CI like github actions or gitlab CI/CD secret's.
This is the first time I manipulate C code with Glib function, so feedback are welcomed.
Same for the documentation, I feel I didn't done great job.
Here, I try this new option with a modified obs-studio manifest with setting
-DCEF_ROOT_DIR
as a secret option.And put this command before building:
export CEF=/app/cef
Since those secrets leak in the verbose output with the print of the used command, it now print a version of this command with unresolved arguments if there is secrets.
And so the verbose log now looks like that: