feat(cli): context by environment #148
Conversation
Zenithar
force-pushed
the
feat_cli_context_by_environment
branch
from
8509e46 to
ab47f35
Compare
|
Heey @Zenithar, Will keep you posted. |
|
The linter is failing. https://github.com/Zenithar/slsa-provenance-action/runs/5336373702?check_suite_focus=true I'm not sure why? |
I stopped the process because it requires tokens I don't have for various steps. |
marcofranssen
force-pushed
the
feat_cli_context_by_environment
branch
from
ab47f35 to
46bd78a
Compare
Signed-off-by: Thibault NORMAND <[email protected]>
Signed-off-by: Thibault NORMAND <[email protected]>
Signed-off-by: Thibault NORMAND <[email protected]>
Signed-off-by: Thibault NORMAND <[email protected]>
Zenithar
force-pushed
the
feat_cli_context_by_environment
branch
from
c2b6ca6 to
c2b5e37
Compare
There was a problem hiding this comment.
@Zenithar thanks a lot for your contribution.
I found a few nit picky things that could use improvement. Furthermore we should perform one additional test regarding the base64 encoding change also see #116.
Also would like to understand the reasoning for the limit reader.
Also happy to have a chat, to verbally discuss.
Thanks a lot.
.github/workflows/test.yaml
Outdated
| matrix: | ||
| os: [ubuntu-latest, macos-latest, windows-latest] | ||
| steps: | ||
| - |
There was a problem hiding this comment.
Could you align the yaml formatting like we do in our other workflows?
- name:
I would also love to have this job integrated in our ci workflow.
It should run after the build
but before the job release
There was a problem hiding this comment.
The idea of these tests is to test the released code in a multi-platform context. That's why they don't use local action source but a named release. Do you think that I should use local code only?
There was a problem hiding this comment.
Using local code we can capture the bug you resolved before cutting out another release. Would be great to have that.
| @@ -40,15 +40,8 @@ runs: | |||
| id: compose-args | |||
| shell: bash | |||
| run: | | |||
| encoded_github="$(echo ${GITHUB_CONTEXT} | base64 -w 0)" | |||
There was a problem hiding this comment.
Please do note we have added base64 encoding due to an earlier bug that broke the json due to
a commit message with quotes inside. #116
Could you confirm this isn't reintroducing that issue?
There was a problem hiding this comment.
Probably a toJSON(github) error? I'm going to check that. Thank you to point me out to this issue.
Signed-off-by: Thibault NORMAND <[email protected]>
Zenithar
force-pushed
the
feat_cli_context_by_environment
branch
from
41cedb3 to
f82f4a0
Compare
Signed-off-by: Thibault NORMAND <[email protected]>
Zenithar
force-pushed
the
feat_cli_context_by_environment
branch
from
5771fc8 to
40367c5
Compare
| - name: Install cosign | ||
| uses: sigstore/[email protected] | ||
| with: | ||
| cosign-release: 'v1.5.1' |
There was a problem hiding this comment.
Bumped cosign yesterday.
| cosign-release: 'v1.5.1' | |
| cosign-release: 'v1.6.0' |
|
Is there anything I can assist you with to finalize this PR? You can find us on the gophers slack in our channel. https://gophers.slack.com/archives/C03563G8T4M |
I'm a little busy for the moment :-) I need to build a test repo to test your CI. I have permissions problems during the run. |
marcofranssen
force-pushed
the
main
branch
2 times, most recently
from
13e3c34 to
c209f4e
Compare
|
Closing this PR, I can't find time to finish it. |
Context
Consume all contexts (GITHUB_CONTEXT and RUNNER_CONTEXT) via environment variables. The previous strategy was to use a base64 encoded value to pass these contexts via command line. But the
GITHUB_CONTEXTcontains an active Github token value which can be retrieved by decoding the base64 encoded context.The generated encoded payload is publicly accessible and depending on the permissions allocated to the workflow, this ephemeral token could have high privileges.
By the way, this is very cool project I use in my pro and personal projects, I'm happy to help you to make all of these CI/CD topics more secured as I could help.
Reference(s)