Revert "Use RUNNER_TEMP to export credentials" #149
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit 191a0f3.
|
Is there no other place these can be kept? Does It'd be nice if there was a full reference on the different env vars and how they work out in VM vs Container. |
It's how looks default run of Docker based GH action for our case: Maybe, the way to use one more input param for this action and to set either RUNNER_TEMP or GITHUB_WORKSPACE as a "workspace" also will be fine. |
Contributor
Author
Sure, but that's a breaking change. I think we should revert this. If we want to introduce that change, it should be in a new tagged version so people can upgrade safely. |
bharathkkb
approved these changes
Jul 22, 2020
Contributor
bharathkkb
left a comment
bharathkkb
left a comment
There was a problem hiding this comment.
LGTM
Seems like macos tests are queued/failing but I dont think its related.
Closed
Merged
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 10, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 10, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reverts #148
As I kinda suspected but couldn't remember, there's a reason we use the action's temporary directory.
/cc @travisgroth @ViacheslavKudinov