diff options
author | Peter Hutterer <peter.hutterer@who-t.net> | 2019-08-07 11:55:21 +1000 |
---|---|---|
committer | Peter Hutterer <peter.hutterer@who-t.net> | 2019-08-07 13:28:27 +1000 |
commit | b1181bdd2fde0b67243f627cba12b8d7be742dd2 (patch) | |
tree | be696a5231b00d1f0ff256d0f2b196684ae05d42 | |
parent | 801485afda09e5fcf8b2fda59292f496d71d02ae (diff) |
gitlab CI: replace the user:password with a netrc file
Gitlab supports masked tokens that get sanitized during log output but these
tokens are still in the environment. meson dumps the environment into
testlog.txt, resulting in our tokens leaking.
Avoid that leak by using a netrc file instead. The token value now refers to
the file name which is safe enough to leak into the test logs.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-rw-r--r-- | .gitlab-ci.yml | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bd3f79ed..d66644b4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -252,10 +252,17 @@ freebsd:11.2@container-prep: # get the r/w token from the settings to access the registry # # each developer needs to register a secret variable that contains - # a personal token with api access in the form of: - # PERSONAL_TOKEN_$USER (for example PERSONAL_TOKEN_bentiss) + # a personal token with api access. The token + # - must be named PERSONAL_TOKEN_$USER (for example PERSONAL_TOKEN_bentiss) + # - must be registered in the CI/CD Variables section as type file + # - value must be a netrc file as a single-line string: + # default login <user> password <token value> + # e.g. "default login bentiss password 1235abcde" - tokenname="PERSONAL_TOKEN_$GITLAB_USER_LOGIN" - - token=$(eval echo "\$$tokenname") + - netrcfile=$(eval echo "\$$tokenname") + - if [[ ! -f "$netrcfile" ]]; then + echo "No netrc file found or token is missing, skipping job" && false; + fi # request a token for the registry API - REGISTRY_TOKEN=$(curl https://$GITLAB/jwt/auth --get @@ -265,7 +272,7 @@ freebsd:11.2@container-prep: -d service=container_registry -d "scope=repository:$REPOSITORY:pull,*" --fail - --user $GITLAB_USER_LOGIN:$token + --netrc-file "$netrcfile" | sed -r 's/(\{"token":"|"\})//g') # get the digest of the latest image |