-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support for injecting values from repository secret. #53
Comments
I would like to point out that using secrets and injecting them into files that are then copied into the image, will expose the secret when it's pushed to a public registry. So great care will be needed for something like this |
Good point. This wouldn't be any more secure than just including the secret file in the GitHub repository directly. @Kerwood What is your use case for this? I suggest you re-examine it. You might be better off with a secrets manager product, such as Bitwarden's, or just reading off of a I was initially going to close this as not planned since I view that as an antipatter, but I guess we could still implement some way to do secrets access in the build for stuff like web requests. It'd be the users own fault if they get their keys leaked, lol. Does CLI support passing envvars into the build process or should this issue be moved? @gmpinder |
You both have good points and I do not disagree. |
Presumably text files, I guess. Also immutable. Something containing an email address perhaps? Anyways; if you don't need it on your image, maybe don't put it there. There are more private ways to sync things over. If you're concerned about being on GitHub search, you could use a private repository, or even not use GitHub at all and build your images locally (no more free compute in the nebulous cloud without you even noticing, though...) |
Yeah, I was actually wanting to implement something like that. So, Docker and Podman and Buildah, they have ways to mount secrets into the build. I want to try to set up a system for bluebuild that will make it easy to transpose those secrets into the proper build system. |
I am working on a POC at my company where I want to give our developers the opportunity to use a Linux Desktop instead of a horrible Windows machine not suited for developing on. Our security department have some requirements for the Linux distro and I can actually meet most of them using Silverblue and a custom BlueBuild image. One of the requirements is a specific anti virus software (Not CrowdStroke) which I can easily install with BlueBuild, but requires a specific config file that onboards the anti virus software to our tenant, pulls our company configuration and enables the software. I am not sure what the best approach is. |
For something like this, you could probably write a small script to curl/wget the file for a part of the build. I think when this feature is done, that could also be a way to go about it. I just wanted to make sure you were aware of the implications of putting a secret in the image. @xynydev since we do the checkout in the action, you think it would be a good idea to add a flag to disable the checkout so that more advanced users can decide how to call our action? |
The repo checkout? I don't know what the use case for not doing it is, but if there's a reason to allow disabling it I'm not opposed. Of course, an advanced user may opt for not using the action at all, but using the CLI directly, perhaps by copying what we have here in action.yml. A for @Kerwood, the use case of passing environment variables to the build will likely be supported in the future. Your use case for not having the file be searchable in the repo makes sense if multiple people are working on it, but those people shouldn't have access to the contents of the config file. However, if the config file is shipped on the image, everyone with access to the final image will be pretty easily able to extract the config file. I'm curious about what the configuration file's privilege or confidentiality level is, and how the onboarding is handled on the Windows side. If you don't want it on the internet, and it is a one-time setup, it could be possible to handle it with a USB stick with a script on it or something. Or if you have some sort of company intranet, hosting the config on there and deploying a |
Well, I just dont want sensitive files in the repo. If someone accidentally makes the repo public, forks it or something. Not so much that my colleagues are not allowed to see it.
You can't get access to anything. With the file you can enroll your antivirus software with our company policies, which will cost us a license and get our config pushed on to your laptop.
Yes, as i said, the process could be manuel moving the file to the laptop after installation. I am not sure though what happen to files created in As you mentioned, it clould also be a systemd service that gets the file from storage bucket some where. |
Yes, any file changes in /etc on boot will persist. The only time that they don't persist is when the file itself hasn't changed. In which case, ostree will overwrite the unchanged file with what is in /usr/etc. |
I don't know if we should open a new feature, but some of the use cases above coincide with this. Getting dynamic information into the call to blue build right now is all but impossible. For my use case, I just want to include build info like branch and sha in the image-info script on some universal blue images. Getting those values into the build process is very difficult and they change per build. If I write this info to a file to be included in the image, the action's checkout overwrites that. Being opinionated is fine, but it's taken me less than 24 hours to find this action too restrictive. |
@Kerwood the merged PR above is a fix for your issue. We'll finish this discussion and do a new release immediately if we decide to not pursue adding more features related to this.
This issue could be fixed too, it's not intentional on my part. The point of the GitHub Action is to do the necessary setup for using BlueBuild on GitHub, not for it to restrict what you can do. I'm a bit busy, but if you're up for another PR, you could try this:
|
The official recommended way to inject values into the build (right now) (make sure you're on action version v1.7.0 or higher) Use the steps:
# clone repo
- uses: actions/checkout@v4
# add secret (choose the location you want, then reference that in your image build if needed)
- run: echo "${{ secrets.SECRET_NAME }}" > ./config/files/tmp/SECRET_NAME
# the rest of the build handled by the reusable github action
- name: Build Custom Image
uses: blue-build/[email protected]
with:
recipe: ${{ matrix.recipe }}
cosign_private_key: ${{ secrets.SIGNING_SECRET }}
registry_token: ${{ github.token }}
pr_event_number: ${{ github.event.number }}
# enabled by default, disable if your image is small and you want faster builds
maximize_build_space: true
# skip the repo checkout built into the action
skip_checkout: true Passing in build opts dynamically is now also possible. If for example a build opt is added for adding Closing the issue now, cheers! |
I have a need for injecting a value from a repository secret into a file, before the build, eg. in
./config/files/etc/somefile
.Since the
blue-build
action its self does a checkout of the repo, it's not possible to do something like below before the build action.The text was updated successfully, but these errors were encountered: