Skip to content
Snippets Groups Projects
Commit b1181bdd authored by Peter Hutterer's avatar Peter Hutterer
Browse files

gitlab CI: replace the user:password with a netrc file


Gitlab supports masked tokens that get sanitized during log output but these
tokens are still in the environment. meson dumps the environment into
testlog.txt, resulting in our tokens leaking.

Avoid that leak by using a netrc file instead. The token value now refers to
the file name which is safe enough to leak into the test logs.

Signed-off-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
parent 801485af
No related branches found
No related tags found
Loading
......@@ -252,10 +252,17 @@ freebsd:11.2@container-prep:
# get the r/w token from the settings to access the registry
#
# each developer needs to register a secret variable that contains
# a personal token with api access in the form of:
# PERSONAL_TOKEN_$USER (for example PERSONAL_TOKEN_bentiss)
# a personal token with api access. The token
# - must be named PERSONAL_TOKEN_$USER (for example PERSONAL_TOKEN_bentiss)
# - must be registered in the CI/CD Variables section as type file
# - value must be a netrc file as a single-line string:
# default login <user> password <token value>
# e.g. "default login bentiss password 1235abcde"
- tokenname="PERSONAL_TOKEN_$GITLAB_USER_LOGIN"
- token=$(eval echo "\$$tokenname")
- netrcfile=$(eval echo "\$$tokenname")
- if [[ ! -f "$netrcfile" ]]; then
echo "No netrc file found or token is missing, skipping job" && false;
fi
# request a token for the registry API
- REGISTRY_TOKEN=$(curl https://$GITLAB/jwt/auth --get
......@@ -265,7 +272,7 @@ freebsd:11.2@container-prep:
-d service=container_registry
-d "scope=repository:$REPOSITORY:pull,*"
--fail
--user $GITLAB_USER_LOGIN:$token
--netrc-file "$netrcfile"
| sed -r 's/(\{"token":"|"\})//g')
# get the digest of the latest image
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment