docs: Add changelog entry for registry-username secret #1648
Conversation
Signed-off-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
ianlewis
requested review from
asraa,
laurentsimon and
joshuagl
as code owners
| @@ -86,6 +86,7 @@ | |||
| #### New Features | |||
|
|
|||
| - A new boolean [`continue-on-error`](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#workflow-inputs) input was added which, when set to `true`, prevents the workflow from failing when a step fails. If set to true, the result of the reusable workflow will be return in the [`outcome`](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#workflow-outputs) output. | |||
| - A new [`repository-username`](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#workflow-inputs) secret input was added to allow users to pass their repository username that is stored in a [Github Actions encrypted secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets). | |||
There was a problem hiding this comment.
this will make the workflow fail if the username has low entropy, because GH scanning will find it in other strings like our hashes. Can we be more prescriptive about which option to use? For example, can we say that the secret option should only be used with high-entropy secrets and give an example of cloud providers where it's suitable? I think someone had mentioned the AWS username have high entropy.
In the case where username should not be a secret but users still want to avoid commiting it to the source code of the repo, we should tell users to use https://github.blog/2023-01-10-introducing-required-workflows-and-configuration-variables-to-github-actions/
Wdut?
There was a problem hiding this comment.
Thanks. That's a good call. I'll add a note about it here and more details in the docs on workflow inputs that it links to.
I assume the entropy issue is not that GitHub checks the entropy but just that something with low entropy will match hashes etc. more often?
There was a problem hiding this comment.
Correct, that's my understanding as well.
Signed-off-by: Ian Lewis <ianlewis@google.com>
…o registry-username-changelog Signed-off-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: Ian Lewis ianlewis@google.com