git: set token only for main remote access #1987
Conversation
tonistiigi
changed the title
Signed-off-by: Tonis Tiigi <[email protected]>
tonistiigi
force-pushed
the
git-token-scope
branch
from
d92bce6 to
5bf6429
Compare
|
Why do we add httpurl when the prefix is not found? Why does the logic not look like this: if there is a prefix, add a auth header. Otherwise no |
|
@MarshalX Token auth is not specific to github. If repo is in another location we still need to set token header. The difference is that we set the token header only for the specific repository. But in case of github we know that a token always works for other github repositories as well(including public repos) so we don't set the token for a specific repository but to any repo under github.com. |
|
Does this need a backport for v0.8 ? |
|
@crazy-max If you confirm this is safe to take to actions right away we can cherry pick |
|
@tonistiigi Yes safe to me. I also did a bit more digging and noticed that there was a potential SSRF about this config in GitLab but nothing that concerns us because this part is sanitized and also Git environment is controlled in the buildkit image. |
fix docker/build-push-action#300
When setting the token for the request scope it to the main URL only so that it is not used for fetching irrelevant submodules. If submodules don't understand the token they can fail the fetch.
This is documented in https://git-scm.com/docs/git-config#Documentation/git-config.txt-httplturlgt
@crazy-max @MarshalX
Signed-off-by: Tonis Tiigi [email protected]