[feature] generator_container_slsa3 should support passing image as a secret #2917
Comments
Danil-Grigorev
added
status:triage
Danil-Grigorev
changed the title
ianlewis
added
area:container
Add option to provide image as a secret for private registries. Fixes #2917 --------- Signed-off-by: Danil Grigorev <[email protected]> Signed-off-by: Ian Lewis <[email protected]> Co-authored-by: Ian Lewis <[email protected]>
|
Temporarily re-opening for a question. Low-entropy secrets tend to create intermittent problems due to this bug https://github.com/orgs/community/discussions/37942. We have not heard of folks running into this problem with the container generator though, even though |
|
Ah yeah. I totally forgot about that issue. Apologies for merging too quickly. I agree, it might be an issue so I'll take a look. It could trigger if we have any job outputs whose value match any part of the image name. |
|
BTW, we included the In the case of |
|
ahh, I forgot about these variables! Yeah now I remember that's the solution to the problem. So let's document this in the generic container workflow then. @Danil-Grigorev Can you confirm this would solve your problem? |
|
Unfortunately with variables the issue is the same - they are visible in the logs. While encrypting output values may help, github contexts does not allow to pass a masked variable directly between the jobs too. And due to specifics of the provenance job - requirement to run on a separate VM, if I understand this correctly, the value can’t be decrypted in an additional step. I can confirm that the change is working when I tried that, and is not affected by the bug you mentioned with the given configuration. In fact this is the first success with everything in place 😄 provenance:
needs: [sign, build]
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main
with:
digest: ${{ needs.build.outputs.digest }}
compile-generator: true
secrets:
image: ${{ inputs.secret_registry && secrets[inputs.image] || inputs.image }}-${{ inputs.arch }}
registry-username: ${{ inputs.secret_registry && secrets[inputs.username] || inputs.username }}
registry-password: ${{ secrets[inputs.password] }} |
Note that the container name will be available in the provenance, which is currently recorded in the transparency log too. So its values will leak no matter what. |
Is your feature request related to a problem? Please describe.
The
imageinput of the generator_container_slsa3 workflow is declared as input which prohibits using secrets as values. The following example fails:Describe the solution you'd like
The
imageinput should be available to provide a secret. Example workflow could look liks this:Describe alternatives you've considered
Unfortunately due to destination registry restrictions, we have no alternatives, but to provide every value as a secret, and we are unable to change the overlapping values between the registry endpoint and the published image name.
Additional context
The text was updated successfully, but these errors were encountered: