run the task before registering the task definition #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is because we use GITHUB_TOKEN as a task environment variable. Environment variables are stored in the clear in a task definition. When the task definition is registered, the token is available in the task definition. This is okay because the token expires at the end of a GitHub Actions job. However, if the task definition is registered first (and the token is exposed) and the task takes a while to run then a valid token is exposed for the duration of the long-running task. This commit runs the task first. Immediately after the task finishes running, the task definition is registered. Since this action is the last step of the job, the token expires after the registration completes. The token exposd in the task definition is invalid.
ben-harvey
reviewed
Sep 8, 2023
| @@ -95,6 +95,7 @@ async function run() { | |||
|
|
|||
| // Get inputs | |||
| const taskDefinitionFile = core.getInput('task-definition', { required: true }); | |||
| const taskDefArnToRun = core.getInput('task-definition-arn', { required: true }); | |||
There was a problem hiding this comment.
I think adding this as a required variable means that the README examples are now out of date. Will you take a look and see if the README needs any other updates?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://jiraent.cms.gov/browse/CMCSMACD-1626
Description of changes:
We use GITHUB_TOKEN as a task environment variable. Environment variables are stored in the clear in a task definition. When the task definition is registered, the token is visible in the task definition.
This is okay because the token expires at the end of a GitHub Actions job. However, if the task definition is registered first (and the token is exposed) and the task takes a while to run then a valid token is exposed for the duration of the long-running task.
This commit runs the task first. Immediately after the task finishes running, the task definition is registered. Since this action is the last step of the job, the token expires after the registration completes. The token that is exposd in the task definition after it expires.
Tested:
Printed out the task definition that was used to the run the task.
Printed out the task definition that was registered after the task ran.
The action runs task definition revision artillery-dev:107.
The action registers task definition revision artillery-dev:108.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.