-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
git: set token only for main remote access #1987
Conversation
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
d92bce6
to
5bf6429
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Why do we add httpurl when the prefix is not found? Why does the logic not look like this: if there is a prefix, add a auth header. Otherwise no |
@MarshalX Token auth is not specific to github. If repo is in another location we still need to set token header. The difference is that we set the token header only for the specific repository. But in case of github we know that a token always works for other github repositories as well(including public repos) so we don't set the token for a specific repository but to any repo under github.com. |
Does this need a backport for v0.8 ? |
@crazy-max If you confirm this is safe to take to actions right away we can cherry pick |
@tonistiigi Yes safe to me. I also did a bit more digging and noticed that there was a potential SSRF about this config in GitLab but nothing that concerns us because this part is sanitized and also Git environment is controlled in the buildkit image. |
fix docker/build-push-action#300
When setting the token for the request scope it to the main URL only so that it is not used for fetching irrelevant submodules. If submodules don't understand the token they can fail the fetch.
This is documented in https://git-scm.com/docs/git-config#Documentation/git-config.txt-httplturlgt
@crazy-max @MarshalX
Signed-off-by: Tonis Tiigi tonistiigi@gmail.com