Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

publish a docker image to quay for every release #86

Merged
merged 3 commits into from
May 7, 2021
Merged

publish a docker image to quay for every release #86

merged 3 commits into from
May 7, 2021

Conversation

erdii
Copy link
Member

@erdii erdii commented Mar 10, 2021
edited
Loading

Intended workflow:

A new release is cut on master by creating a release and tagging it with the version
->
The build-docker workflow gets triggered and gets the version from the release tag. This also pushes the image to quay.io

Questions:

  • how do i get the quay robot account credentials into the repo's secrets? (I don't have access to this (yet?)
  • is quay right? Ideally this would be published under docker.io/prom/jiralert

Signed-off-by: Josh Gwosdz jgwosdz@redhat.com

erdii added 2 commits March 10, 2021 17:09
@erdii
publish a docker image to quay for every release
66a5407 
Signed-off-by: Josh Gwosdz <jgwosdz@redhat.com>
@erdii
quote secret injection
9a82c62 
Signed-off-by: Josh Gwosdz <jgwosdz@redhat.com>
@erdii
Copy link
Member Author

erdii commented Mar 10, 2021
edited
Loading

@thetechnick did a small review of the pr and was concerned about security of the used secrets (rightfully so!)

How do we ensure that a new PR does not dump the quay credential secrets so that the attacker can replace our images (at least until we find out)?
The answer: https://securitylab.github.com/research/github-actions-preventing-pwn-requests#:~:text=Due%20to%20the%20dangers%20inherent%20to,the%20pull_request_target%20workflow%20trigger%20was%20introduced
Workflows triggered via the pull_request event cannot access repo secrets if they come from outside of this repo.

Also: pull_request_target does not have these limitations and I verified that an attack cannot change this trigger and then have the worklow actually be triggered by the new event.
Verified here: erdii/gh-actions-playground#1

TL;DR: a PR cannot extract registry secrets :)

@erdii erdii requested a review from bwplotka March 12, 2021 12:46
@erdii erdii marked this pull request as ready for review March 12, 2021 16:35
@erdii erdii mentioned this pull request Mar 12, 2021
Open
@erdii
clean up build workflow
b944c16 
Signed-off-by: Josh Gwosdz <jgwosdz@redhat.com>
@erdii erdii force-pushed the build-docker-images branch from a8a0b00 to b944c16 Compare March 17, 2021 12:08
bwplotka
bwplotka reviewed May 7, 2021
View reviewed changes
.github/workflows/build-docker.yaml
registry: quay.io
username: "${{ secrets.QUAY_USER }}"
password: "${{ secrets.QUAY_PASS }}"
- run: make docker docker-publish
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add something like https://github.com/thanos-io/thanos/blob/main/Makefile#L5 to build from main.

bwplotka
bwplotka approved these changes May 7, 2021
View reviewed changes
Copy link
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one suggestion (:

@bwplotka bwplotka merged commit 63eaeb0 into prometheus-community:master May 7, 2021
@erdii erdii deleted the build-docker-images branch May 7, 2021 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwplotka bwplotka bwplotka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erdii @bwplotka