Revert back to using GITHUB_WORKSPACE for storing credentials #412
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sethvargo
force-pushed
the
sethvargo/back
branch
19 times, most recently
from
b290061 to
17d793c
Compare
sethvargo
force-pushed
the
sethvargo/back
branch
from
17d793c to
de34926
Compare
sethvargo
commented
Dec 1, 2021
| main: dist/index.js | ||
| using: 'node12' | ||
| main: 'dist/main/index.js' | ||
| post: 'dist/post/index.js' |
Contributor
Author
There was a problem hiding this comment.
There appears to be no good way to "test" this. I've verified it's working by looking at the log output in our tests.
bharathkkb
reviewed
Dec 1, 2021
bharathkkb
approved these changes
Dec 1, 2021
Merged
|
Hello @sethvargo our issue is not totally resolved by this PR. |
Contributor
Author
|
That's likely because the The fact that this worked previously was a rather large security vulnerability, as any user would have been able to access and read those credentials regardless of their OS permissions. If you'd like to discuss further, please open an issue since pull requests aren't great for this type of discussion. |
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 10, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 10, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
sethvargo
added a commit
to google-github-actions/auth
that referenced
this pull request
Jul 11, 2025
The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context. In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.): - google-github-actions/setup-gcloud#148 - google-github-actions/setup-gcloud#149 - google-github-actions/setup-gcloud#405 - google-github-actions/setup-gcloud#412 While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs: 1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world. 2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything. 3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This reverts the change from using
RUNNER_TEMPto store exported credentials back to the original value ofGITHUB_WORKSPACEwhich many additional comments and tests to ensure there's not a regression in the future 😄Fixes GH-410