ci: Stop JWT leakage in jobs logs (!14004) · Merge requests · Mesa / mesa

Guilherme Gallo requested to merge gallo/mesa:ci-stop-jwt-leakage into main Dec 02, 2021

There are some sensitive variables set by Gitlab as environment variables. Some jobs uses them for running some scripts. Unfortunately, they are prone to be leaked via obvious ways, such as printing the entire environment for debugging reasons or not-so-obvious approaches, like executing set -x and using some sensitive variables in the same script block.

We have set some CI variables to be masked by Gitlab, however this mechanism fails sometimes.

This MR targets to stop the leakage of CI_JOB_JWT environment variable without relying on Gitlab variable masking tool. CI_JOB_JWT is used to access the MinIO repository in bare-metal/iris/virgl jobs.

Essentially, this MR achieves this goal via two main steps:

Transferring the CI_JOB_JWT content to a file located at CI_JOB_JWT_FILE at the very beginning of each Mesa CI job.
- The necessary tools (piglit and ci-fairy) have been adapted to accept JWT tokens as file.
Doing the inverse operation of 1. as the last step of every job.

Edited Dec 02, 2021 by Guilherme Gallo

Admin message

ci: Stop JWT leakage in jobs logs

Merge request reports