Explicitly avoid committing SSH key to gh-pages #2018
Conversation
src/deploydocs.jl
Outdated
| @@ -379,14 +379,16 @@ function git_push( | |||
| # Get the parts of the repo path and create upstream repo path | |||
| user, host, upstream = user_host_upstream(repo) | |||
|
|
|||
| keyfile = abspath(joinpath(root, ".documenter")) | |||
| keyfile = abspath(joinpath(homedir(), ".documenter-identity-file.tmp")) | |||
There was a problem hiding this comment.
Better with temp?
| keyfile = abspath(joinpath(homedir(), ".documenter-identity-file.tmp")) | |
| keyfile = abspath(joinpath(mktempdir(), ".documenter-identity-file.tmp")) |
There was a problem hiding this comment.
Yeah, I think it's not inconceivable someone might try to upload the entire home directory, e.g. on a CI service where there's nothing much there anyways. If we really wanted to be on the safe side, maybe even check if tempdir is a subdirectory of the target and error loudly if it is?
There was a problem hiding this comment.
tempdir would indeed be the most convenient, but what I was concerned about is that, if somehow it doesn't get cleaned up, it's better to leave the file into /home (where hopefully only the current user can read it), rather than /tmp.
Checking for the subdirectory seems reasonable though.
There was a problem hiding this comment.
Could the file not be created as read-write only for current user, then after the key is written, change to read-only for current user?
There was a problem hiding this comment.
I guess the permissions are fine already (user-only rw protects as much). I guess my main concern is some shared system where you might have the keyfile sitting around in the /tmp of some random node. In your home directory you might be more likely to notice it.
|
Good idea to add the file to diff --git a/src/deploydocs.jl b/src/deploydocs.jl
index 02d572c4f..140d0e09e 100644
--- a/src/deploydocs.jl
+++ b/src/deploydocs.jl
@@ -357,6 +357,9 @@ function git_push(
end
# Add, commit, and push the docs to the remote.
+ open(".git/info/exclude", "a") do io
+ println(io, ".documenter-identity.file.tmp")
+ end
run(`$(git()) add -A .`)
if !success(`$(git()) diff --cached --exit-code`)
if !isnothing(archive) |
| @@ -357,7 +365,7 @@ function git_push( | |||
| end | |||
|
|
|||
| # Add, commit, and push the docs to the remote. | |||
| run(`$(git()) add -A .`) | |||
| run(`$(git()) add -A -- ':!.documenter-identity-file.tmp' ':!**/.documenter-identity-file.tmp'`) | |||
There was a problem hiding this comment.
@fredrikekre Does this look right to you? :!.documenter-identity-file.tmp' seemed to only exclude the top-level file.
There was a problem hiding this comment.
Looks like that works, but I wonder why the first isn't sufficient. In a standard .gitignore file a line with .documenter-identity-file.tmp would exclude all files with that name.
mortenpi
force-pushed
the
mp/documenter-key
branch
from
dda9fd3
to
ff8d073
Compare
mortenpi
force-pushed
the
mp/documenter-key
branch
from
ce52bb6
to
86962bc
Compare
|
Okay, I kinda changed my mind now. I think checking that tmpdir/homedir is a subdirectory of On the other hand, the |
mortenpi
changed the title
(cherry picked from commit 7560548)
Rather than writing the key to the repository, let's write it to
homedir(). I think ideally we would avoid writing a temporary file altogether, but I think the only way to do it then is withssh-agent?cc @simeonschaub