Export credentials into RUNNER_TEMP instead of GITHUB_WORKSPACE #405
+123
−778
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This will ensure the credentials do no persist beyond the run, but are still available to all other steps in the job.
bharathkkb
approved these changes
Nov 30, 2021
Merged
|
thx for this @sethvargo |
|
@sethvargo We're getting this warning from our use of
We're happy to make the change to google-github-actions/auth for authentication but we don't want to fall foul of the issue that you fixed in this PR. Will this change be reflected if we make the move to google-github-actions/auth ? cc @marengaz |
Contributor
Author
|
@jamiet-msm yea, we're trying to centralize all authentication into "auth". auth already has this fix. |
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 10, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 10, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This will ensure the credentials do no persist beyond the run, but are still available to all other steps in the job.
Also a few small fixes:
Fixes #402