我应该在GitHub Action工作流程结束时删除机密文件吗?
我有一些操作,需要将秘密存储到文件中。稍后另一个作业使用此秘密,例如:
env:
FIREBASE_DISTRIBUTION_KEY: ${{ secrets.GCP_SA_FIREBASE_DISTRIBUTION_PROD_KEY }}
run: |
echo $FIREBASE_DISTRIBUTION_KEY > key.json
export GOOGLE_APPLICATION_CREDENTIALS=key.json
从安全角度来看,我应该在工作流程末尾删除key.json吗?像:
- name: Remove credentials
if: always()
run: |
rm key.json
我正在考虑一种场景,其中GitHub操作容器被妥协并且有人可以访问文件。或不相信Github会完全删除GitHub Action容器。
I have some actions where I need to store a secret into a file. This secret is used by another job later, like:
env:
FIREBASE_DISTRIBUTION_KEY: ${{ secrets.GCP_SA_FIREBASE_DISTRIBUTION_PROD_KEY }}
run: |
echo $FIREBASE_DISTRIBUTION_KEY > key.json
export GOOGLE_APPLICATION_CREDENTIALS=key.json
From a security perspective, should I remove at the end of the workflow the key.json? Like:
- name: Remove credentials
if: always()
run: |
rm key.json
I'm thinking about a scenario where the GitHub Actions containers are compromised and someone has access to the files. Or not trusting GitHub that they are deleting the GitHub Action container completely.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这不是必需的。
首先,github动作跑步者不是容器,而是虚拟机。没有机会逃脱,也没有“清理”容器的想法。
虚拟机被完全处理。运行您的工作的虚拟机 - 或任何磁盘图像都不会被重复使用。
This is not necessary.
First, GitHub Actions runners are not containers, they're virtual machines. There's no opportunity for container escape, and there's no notion of "cleaning up" the containers.
The virtual machine is disposed of completely. Neither the virtual machine that ran your job - nor any of its disk images - will be re-used.