Skip to content

Set permissions; do not persist credentials. #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Set permissions; do not persist credentials. #162

wants to merge 3 commits into from

Conversation

BigBlueHat
Copy link
Member

No description provided.

@BigBlueHat
Copy link
Member Author

@PatStLouis could you run zizmor locally and address the last two remaining concerns there? I'm less familiar with how you have this setup and what the cache needs are for this action. Thanks!

@PatStLouis
Copy link
Collaborator

Caching in regards to docker is mostly for optimization. Here's the relevant documentation:
https://docs.docker.com/build/cache/optimize/

I can have a look at the tool you provided. I also see 2 comments in the docker file linking to gh issues, I can look at the status of these since its been some time this action has been created.

@PatStLouis
remove gh action caching on image build for security hardening
e6243fa 
Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca>
@PatStLouis
Copy link
Collaborator

@BigBlueHat I had a quick read through this guide outlining caching exploits
https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/

In the case of gh action builds, the only recommendations seems to be to avoid caching for the time being.

I've removed the steps that used caching. For this use case, I think its fair to say the impact would be minimal. This action is only triggered on a release and the impact will be a slower build time, which is fine as this is a small image.

PatStLouis
PatStLouis approved these changes Sep 4, 2025
View reviewed changes
Copy link
Collaborator

@PatStLouis PatStLouis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PatStLouis PatStLouis PatStLouis approved these changes

@davidlehn davidlehn Awaiting requested review from davidlehn

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@BigBlueHat @PatStLouis