Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Per-repository cache for Dockerfile as a CI environment #761

Closed
fkorotkov opened this issue Jan 7, 2021 · 1 comment
Closed

Per-repository cache for Dockerfile as a CI environment #761

fkorotkov opened this issue Jan 7, 2021 · 1 comment
Labels

Comments

@fkorotkov
Copy link
Contributor

Description

Add a repository setting to enable per-repository caching for docker images instead of the default global one. Make new repositories to use the per-repository caching as it's safer from security perspective.

Context

Right now Dockerfile as a CI environment is cached globally. Because of #273 it is possible to inject malicious scripts, then remove it so a PR will look harmless but the cached image will still contain the malicious code. It's documented in #760.

#273 and #692 can help to lower the risk but they won't completely mitigate the potential vector of attack.

@fkorotkov
Copy link
Contributor Author

Now images are cached per repository in the format of

cirrus-ci-community/${repository.fullNane}/${dockerfile.path}:${dockerfile.fingerprint}

While building the image we've added --cache-from flag to use the legacy globally cached image if any. This should minimize the disturbance of the change by making the rebuilt just copy over the legacy image to the new location.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant