Closed deitch closed 1 month ago
Note that for tests running for an open PR this dockerhub credentials will not be used unless we switch pull_request to pull_request_target. But I think that in this repo it is not so important (we do not open PRs that often here) and it has security risks. I'm not sure about pull_request_review that we use in the eve repo - does it have access to secrets?
However, it seems that in each test workflow the only non-OSS pull is for the nginx container (or is it OSS, how can I check?). Hence it is not so import to use the dockerhub account for eden tests.
However, it seems that in each test workflow the only non-OSS pull is for the nginx container (or is it OSS, how can I check?).
nginx is not OSS. You look at the repo. For example, lfedge/eve has this:
While nginx does not:
"Docker official images" explicitly are subject to pull limits.
Hence it is not so import to use the dockerhub account for eden tests.
So maybe we do not need it at all? Perhaps. Let's this one in, which just switches the secret used to unify it. Then we can remove secret access entirely in a separate one if we want.
So maybe we do not need it at all? Perhaps. Let's this one in, which just switches the secret used to unify it. Then we can remove secret access entirely in a separate one if we want.
Note that I'm not against using docker login in tests. It is just that these secrets are not available to an open PR (unless we use pull_request_target) and thus we will continue running them with anonymous docker user.
Eden was using inherited secrets from EVE, hence the naming release. We used secrets instead of inputs as per GitHub guidelines. I wonder though if any repository using reusable Eden workflow will have access to this credentials
Eden was using inherited secrets from EVE, hence the naming release. We used secrets instead of inputs as per GitHub guidelines. I wonder though if any repository using reusable Eden workflow will have access to this credentials
The real problem is here: https://github.com/lf-edge/eve/blob/master/.github/workflows/eden.yml#L14
pull_request_review
does not grant access to secrets, hence no secrets are propagated to eden (those fields are inherited empty).
lfedge created a new user for all of the workflows, and saved the credentials as org secrets, specifically
RELEASE_DOCKERHUB_ACCOUNT
andRELEASE_DOCKERHUB_TOKEN
. This PR removes the different name in the flows and uses the org standardsecrets.RELEASE_DOCKERHUB_ACCOUNT
andsecrets.RELEASE_DOCKERHUB_TOKEN
.Eden actually was using both,
RELEASE_DOCKERHUB_*
andDOCKERHUB_*
, with only a few left using theDOCKERHUB_*
. This unifies it all.