Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[buildkite] Fix env leakage of signed tokens #42526

Merged
merged 2 commits into from
Oct 7, 2021

Conversation

staticfloat
Copy link
Member

@staticfloat staticfloat commented Oct 7, 2021

No description provided.

After a few days of debugging, the buildkite people figured out that the
reason our "unprivileged" jobs were getting privileges was because of an
obscure behavior of top-level `env:` blocks.  To fix it, we should
always scope our `env:` mappings to a particular step, and so that's
exactly what this does.

We also add a `.gitignore` mapping for the new, more convenient way that
`cryptic` likes to store keys in the repository.
@staticfloat staticfloat requested a review from a team as a code owner October 7, 2021 05:50
@DilumAluthge DilumAluthge removed the request for review from a team October 7, 2021 14:39
@DilumAluthge DilumAluthge added backport 1.6 Change should be backported to release-1.6 backport 1.7 ci Continuous integration labels Oct 7, 2021
@DilumAluthge
Copy link
Member

For now, let's continue to backport all CI PRs to 1.6 and 1.7.

@DilumAluthge DilumAluthge merged commit 39fd36c into master Oct 7, 2021
@DilumAluthge DilumAluthge deleted the sf/buildkite_env_leakage branch October 7, 2021 15:37
KristofferC pushed a commit that referenced this pull request Oct 11, 2021
After a few days of debugging, the buildkite people figured out that the
reason our "unprivileged" jobs were getting privileges was because of an
obscure behavior of top-level `env:` blocks.  To fix it, we should
always scope our `env:` mappings to a particular step, and so that's
exactly what this does.

We also add a `.gitignore` mapping for the new, more convenient way that
`cryptic` likes to store keys in the repository.

(cherry picked from commit 39fd36c)
@JuliaLang JuliaLang deleted a comment from staticfloat Oct 16, 2021
@JuliaLang JuliaLang deleted a comment from staticfloat Oct 16, 2021
KristofferC pushed a commit that referenced this pull request Oct 19, 2021
After a few days of debugging, the buildkite people figured out that the
reason our "unprivileged" jobs were getting privileges was because of an
obscure behavior of top-level `env:` blocks.  To fix it, we should
always scope our `env:` mappings to a particular step, and so that's
exactly what this does.

We also add a `.gitignore` mapping for the new, more convenient way that
`cryptic` likes to store keys in the repository.

(cherry picked from commit 39fd36c)
KristofferC pushed a commit that referenced this pull request Nov 11, 2021
After a few days of debugging, the buildkite people figured out that the
reason our "unprivileged" jobs were getting privileges was because of an
obscure behavior of top-level `env:` blocks.  To fix it, we should
always scope our `env:` mappings to a particular step, and so that's
exactly what this does.

We also add a `.gitignore` mapping for the new, more convenient way that
`cryptic` likes to store keys in the repository.

(cherry picked from commit 39fd36c)
@KristofferC KristofferC removed the backport 1.6 Change should be backported to release-1.6 label Nov 13, 2021
LilithHafner pushed a commit to LilithHafner/julia that referenced this pull request Feb 22, 2022
After a few days of debugging, the buildkite people figured out that the
reason our "unprivileged" jobs were getting privileges was because of an
obscure behavior of top-level `env:` blocks.  To fix it, we should
always scope our `env:` mappings to a particular step, and so that's
exactly what this does.

We also add a `.gitignore` mapping for the new, more convenient way that
`cryptic` likes to store keys in the repository.
LilithHafner pushed a commit to LilithHafner/julia that referenced this pull request Mar 8, 2022
After a few days of debugging, the buildkite people figured out that the
reason our "unprivileged" jobs were getting privileges was because of an
obscure behavior of top-level `env:` blocks.  To fix it, we should
always scope our `env:` mappings to a particular step, and so that's
exactly what this does.

We also add a `.gitignore` mapping for the new, more convenient way that
`cryptic` likes to store keys in the repository.
staticfloat added a commit that referenced this pull request Dec 23, 2022
After a few days of debugging, the buildkite people figured out that the
reason our "unprivileged" jobs were getting privileges was because of an
obscure behavior of top-level `env:` blocks.  To fix it, we should
always scope our `env:` mappings to a particular step, and so that's
exactly what this does.

We also add a `.gitignore` mapping for the new, more convenient way that
`cryptic` likes to store keys in the repository.

(cherry picked from commit 39fd36c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ci Continuous integration
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants