Replace docker/login-action with inline docker login#8694
Replace docker/login-action with inline docker login#8694
Conversation
Drop dependency on docker/login-action by replacing it with a simple docker login command. Just reduces our supply chain exposure a bit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| # Password or personal access token used to log against the Docker registry | ||
| password: ${{ secrets.DOCKER_PASSWORD}} | ||
| # Log out from the Docker registry at the end of a job | ||
| logout: true |
There was a problem hiding this comment.
We lose logout at the end of the job, but I think this is moot. The runner is discarded after each matrix run.
aarongable
left a comment
aarongable
left a comment
There was a problem hiding this comment.
LGTM, with the caveat that I'd like to see some sort of indication (e.g. in the PR description) that this is an accepted best-practice way to do this. GitHub Action supply chain dependency attacks are very real. They also protect us from very real accidental errors, like getting the difference between "$DOCKER_PASSWORD" and ${DOCKER_PASSWORD} wrong.
|
Note that zizmor flags both the main branch and this PR for: My interpretation of this and https://docs.zizmor.sh/audits/#secrets-outside-env, is that it is currently benign. The belt-and-suspenders fix would be to scope the token to an environment and configure environment protection rules. But since the token is still not available to forks, I think we're fine. |
3 participants
Drop dependency on docker/login-action by replacing it with a simple
docker logincommand. Just reduces our supply chain exposure a bit.This is done in a way consistent with GitHub's suggestions https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets#using-secrets-in-a-workflow, in particular: the secret is passed to the inner step as an environment variable;
printenvprevents the secret from being visible in the process list, and is piped over stdin todocker login.