New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix security issue in CI #17545
Fix security issue in CI #17545
Conversation
Curiously github is not picking up a force push |
00ea9f0
to
ba2f3fe
Compare
Thanks @haampie, this is a good catch. Do you think there might ever a need to be able to upload this artifact (e.g. in a private gitlab instance)? It could be an option which defaults to not uploading it. Otherwise I think I'm fine if it never gets uploaded. Obviously I'm never looking at it, I just thought it would be useful at one point, so I added it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me, thanks @haampie! Can this be backported to the current v0.15 release? I'm not sure of the process for that.
Though it's just failing a test, which should be easy to fix, I can push a commit on this branch if you want.
The `spack-build-env.txt` file may contains many secrets, but the obvious one is the private signing key in `SPACK_SIGNING_KEY`. This file is nonetheless uploaded as a build artifact to gitlab. For anyone running CI on a public version of Gitlab this is a major security problem. Even for private Gitlab instances it can be very problematic. Co-authored-by: Scott Wittenburg <scott.wittenburg@kitware.com>
The `spack-build-env.txt` file may contains many secrets, but the obvious one is the private signing key in `SPACK_SIGNING_KEY`. This file is nonetheless uploaded as a build artifact to gitlab. For anyone running CI on a public version of Gitlab this is a major security problem. Even for private Gitlab instances it can be very problematic. Co-authored-by: Scott Wittenburg <scott.wittenburg@kitware.com>
The `spack-build-env.txt` file may contains many secrets, but the obvious one is the private signing key in `SPACK_SIGNING_KEY`. This file is nonetheless uploaded as a build artifact to gitlab. For anyone running CI on a public version of Gitlab this is a major security problem. Even for private Gitlab instances it can be very problematic. Co-authored-by: Scott Wittenburg <scott.wittenburg@kitware.com>
The `spack-build-env.txt` file may contains many secrets, but the obvious one is the private signing key in `SPACK_SIGNING_KEY`. This file is nonetheless uploaded as a build artifact to gitlab. For anyone running CI on a public version of Gitlab this is a major security problem. Even for private Gitlab instances it can be very problematic. Co-authored-by: Scott Wittenburg <scott.wittenburg@kitware.com>
This reverts commit 24dff9c. keys, aws credentials, etc from the CI process. But the spack-build.env file can be useful for reproducing CI builds on the command line, so now we first filter out the secrets before writing the environment file, then continue uploading it as an artifact like before.
The
spack-build-env.txt
file may contains many secrets, but the obvious one is the private signing key inSPACK_SIGNING_KEY
. This file is nonetheless uploaded as a build artifact to gitlab. For anyone running CI on a public version of Gitlab this is a major security problem. Even for private Gitlab instances it can be very problematic.