ci: expose protected file credentials in trusted workflows #192
Conversation
|
Can you add a comment to each file that explains your security considerations? The idea is that when someone finds the code in the future, they can see why the env vars are not available in PRs. |
| env: | ||
| # Security note! The secrets are only added to workflows that run on trusted branches (main). If secrets are accessible in workflows that run on untrusted branches they can be extracted, see https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#exfiltrating-data-from-a-runner. | ||
| ESS_PROTECTED_FILESTORE_USERNAME: ${{ secrets.ESS_PROTECTED_FILESTORE_USERNAME }} | ||
| ESS_PROTECTED_FILESTORE_PASSWORD: ${{ secrets.ESS_PROTECTED_FILESTORE_PASSWORD }} |
There was a problem hiding this comment.
We were recently trying to remove Scipp and ESS-specifics from the copier-template. This seems to counter that effort?
There was a problem hiding this comment.
Yes it does 🤔 how do we fix that?
There was a problem hiding this comment.
You could move it into the ess template. But then it could not be used in ScippNeutron and ScippNexus.
There was a problem hiding this comment.
Can I move it to ess_template when the actions using the variables are defined here in copier_template?
There was a problem hiding this comment.
Yes. The templates will be merged into the same repo. GH CI won't care where the files ultimately come from.
There was a problem hiding this comment.
But then I have to move the entire workflow files (nightly.yaml for example) to ess_template. Or can I just move the part that concerns the environment variables?
There was a problem hiding this comment.
Is there a way to move the env section to a custom file that gets included in the workflow, and write the custom file content only if the template is rendered for our projects?
There was a problem hiding this comment.
Maybe, is there an example of a similar mechanism somewhere else in the copier template?
There was a problem hiding this comment.
There was a problem hiding this comment.
Still unsure what you have in mind. The file you mentioned is just a jinja template with a parameter from the copier answers file, and it doesn't involve the other ess copier template. Not sure what I'm supposed to take from that. Let's talk about it tomorrow.
This change adds environment variables containing credentials that can be used to read files in the protected folder on the file server.
The environment variables are only added to workflows that run on the main branch that is assumed to be trusted.
If the environment variables would be added to typical CI workflows then the credentials could be extracted by someone without write permission to the main branch.
With this change workflows can look for the environment variables and read protected files if they find them.