ver4a/oci-builder
1
0
Fork 0
Code Activity Actions

feat: pass password to buildah login through stdin
All checks were successful
/ Test oci-builder (push) Successful in 33s
Details
/ Release oci-builder (push) Successful in 1s
Details
/ Build oci-builder (push) Successful in 36s
Details

Browse source 
This config makes it so that the registry password isn't passed as a command line
argument to an external command (buildah login), but only to an internal
command (echo). Thus the password can't be visible in process tree.
(e.g. by using ps).
This commit is contained in:
ver4a 2026-01-09 00:27:22 +01:00
parent ae456716c5
commit 9c4574808f
1 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.forgejo/workflows/build-image.yaml
View file

@ -30,9 +30,10 @@ jobs:
- name: 'Log in to registry' - name: 'Log in to registry'
run: > run: >
echo '${{ secrets.REGISTRY_PASSWORD }}' |
buildah login buildah login
-u '${{ vars.REGISTRY_USERNAME }}' -u '${{ vars.REGISTRY_USERNAME }}'
-p '${{ secrets.REGISTRY_PASSWORD }}' --password-stdin
'${{ vars.REGISTRY_DOMAIN }}' '${{ vars.REGISTRY_DOMAIN }}'
- name: 'Push :ci-dev to registry' - name: 'Push :ci-dev to registry'
@ -78,9 +79,10 @@ jobs:
- name: 'Log in to registry' - name: 'Log in to registry'
run: > run: >
echo '${{ secrets.REGISTRY_PASSWORD }}' |
buildah login buildah login
-u '${{ vars.REGISTRY_USERNAME }}' -u '${{ vars.REGISTRY_USERNAME }}'
-p '${{ secrets.REGISTRY_PASSWORD }}' --password-stdin
'${{ vars.REGISTRY_DOMAIN }}' '${{ vars.REGISTRY_DOMAIN }}'
- name: 'Move :ci-dev to :stable' - name: 'Move :ci-dev to :stable'