Open eine opened 3 years ago
@eine
It seems that the warning message is hidden from the users, which is misleading as it provides a false feeling of security. As seen in docker/login-action@adb7347/src/docker.ts#L36, on success stderr is not shown. The warning is precisely shown when the login is successful but insecure.
This issue concerns the credential store used on the GitHub Runner and not this action itself. Also as you can see on your own fork, credentials are removed when the job is finished.
@crazy-max, see actions/starter-workflows#96 (and the ref to docker/cli#2089). Ideally developers/maintainers of Docker and GitHub Actions would communicate with each other for achieving a satisfactory solution.
@eine
Ideally developers/maintainers of Docker and GitHub Actions would communicate with each other for achieving a satisfactory solution.
Maybe GitHub could simply install the pass
credential helper on the GitHub Runner. WDYT @clarkbw?
I've asked for this before. I'll push for it again.
Please not this not only affects the "build and push" action. Currently every workflow must/should start with a docker login as to decrease the chance of being hit by the new rate limiting.
In the short term can we only filter out the login message?
@clarkbw this issue is about requesting relevant warnings not to be hidden from users. ATM, the warnings are filtered out: #25.
@eine @clarkbw actions/virtual-environments#2304 has been merged. Will be available ~January (https://github.com/actions/virtual-environments/issues/2302#issuecomment-749140395).
Coming from docker/build-push-action#53
Refs:
Behaviour
Steps to reproduce this issue
Expected behaviour
Login is secure or security warnings are not hidden.
Actual behaviour
Login is reported not to be secure, but warnings are hidden.