search

mozilla / sccache

Sccache is a ccache-like tool. It is used as a compiler wrapper and avoids compilation when possible. Sccache has the capability to utilize caching in remote storage environments, including various cloud storage options, or alternatively, in local storage.
Apache License 2.0
5.86k stars 552 forks source link

Consider introducing `SCCACHE_GCS_KEY` (alongside the existing `_PATH`) #865

Open fasterthanlime opened 4 years ago

fasterthanlime commented 4 years ago

On Github Actions, all secrets (even encrypted secrets) are passed via environment variables.

To use sccache with GCS storage on GitHub Actions, currently the only way seems to be writing the JSON service account credentials to a file, then set SCCACHE_GCS_KEY_PATH to the path of that file.

That means writing a secret to disk instead of keeping it in the environment, thus providing even more opportunity to leak that secret.

It would be super convenient to be able to just pass the contents of the JSON as SCCACHE_GCS_KEY, or SCCACHE_GCS_KEY_CONTENTS.

saiintbrisson commented 1 year ago

This is still pretty useful for users using service accounts for authentication (and there are a lot of them, me included).

Still, it is good to note that nowadays the Workload Identity Federation scheme partially solves this by generating a credential JSON that's only valid for the duration of the run. Generally, this approach seems safer than having a service account token.

BUT, External Accounts (the ones used by WIF) are NOT supported by Sccache as of today. Support for it needs to be implemented in reqsign, the underlying signing crate used by opendal.

A good read by one of GCP's engineers on this: https://medium.com/google-cloud/how-does-the-gcp-workload-identity-federation-work-with-github-provider-a9397efd7158

saiintbrisson commented 1 year ago

An update on what I described above, I've implemented said external accounts on Xuanwo/reqsign#308, and opened a PR here to bump the dependency version on #1760.