search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
45.28k stars 5.51k forks source link

Action filter for secrets #32162

Open mclei-asw opened 1 month ago

mclei-asw commented 1 month ago

Feature Description

Woodpecker CI has a great feature: Image filter Its description is: To prevent abusing your secrets from malicious usage, you can limit a secret to a list of images. If enabled they are not available to any other plugin (steps without user-defined commands). If you or an attacker defines explicit commands, the secrets will not be available to the container to prevent leaking them.

It would be great to have such filter for secrets in Gitea Actions. Just here it should filters "actions" name or URL. In Woodpecker each action is provided by an image, that's why the name should be different.

It will allow to expose secrets for only limited list of actions. For example, as Gitea does not provide any support for cloning other repositories than it is actually run on, we can grant access to a specific user and allow its secret to be used only by the specific clone action. And nobody can maliciously reveal that secret.

Screenshots

No response

lunny commented 1 month ago

Maybe It should filter both container/image and actions.