New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow to template builds.env #2583
Conversation
Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
Codecov Report
@@ Coverage Diff @@
## master #2583 +/- ##
==========================================
+ Coverage 84.65% 84.69% +0.03%
==========================================
Files 100 100
Lines 7325 7343 +18
==========================================
+ Hits 6201 6219 +18
Misses 929 929
Partials 195 195
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks useful in the context you mentioned (as demonstrated by cosign).
I see that the variables are only passed to the build commands, not to hooks - which seems like a good idea in principle IMO, but I'm not sure this intention/behaviour is immediately obvious.
Perhaps that can be addressed with documentation, or a different name, such as build_env
? I'm not sure, just thinking out loud... 🤔
noticed that as well, and also not sure why... I think its more likely to be a bug... |
I think it depends on what we expect folks to store in these variables, but it was initially intentional as far as I can remember, because hooks are likely to be less trusted as external programs. Say that there's a vulnerability in that program which runs as post-hook, allowing it to exfiltrate any ENV variables (credentials). Having a more explicit relationship between what variables are passed to each hook reduces the impact of such leak. This is AFAICT the same reason why GitHub Actions do not have "shared ENV variables" that would enable this "exfiltration by accident" but instead you're forced to type out Naturally none of this is concern for the |
hmm, yeah, you're right, that makes sense... leaving as is then... will improve the docs about it later 🙏 |
FWIW @radeksimko right now hooks see the build.envs... |
ok, assuming the env on hooks as well, this is basically wrong. Will close |
This PR allows templates in the
builds.env
section.This should help improve configs like this one from cosign to something like:
thoughts?