IBM / lunchpail

Lunchpail compiles your job code into an all-in-one executable. Others download that binary, and "up" it to run your code in the Cloud or an existing Kubernetes cluster.
Apache License 2.0
6 stars 2 forks source link

test: add test coverage for `ibmcloud be` using GH self hosted runners #94

Open aavarghese opened 2 months ago

starpit commented 2 months ago

This would be nice. I'm not sure how we avoid leaking secrets? Any self-hosted runner would need an apikey for ibm cloud? We could provision the runner to have a security group that blocks access to any outbound connection other than the ibm cloud api servers. This would protect tcp-based escape. But... the user code could still just log the secret to the console? If this were a github action-provided secret, their log viewers would hopefully be smart enough to redact the secrets from any displayed logs. But... if this is just some random string that github doesn't know about...?

aavarghese commented 2 months ago

If a secret is set via input or env var in the GH action workflow, GH should know what it is and redact it in the logs ref self- hosted runners may also behave the same, and we will need a minimum access apikey for it plus additional security like no outbound sec group rules, as you mentioned

starpit commented 2 months ago

is there a way for us (as non-owners of org IBM) to configure env vars?