[llvm] workflows/release-binaries: Remove .git directory from artifacts (PR #106310)

Tom Stellard via llvm-commits llvm-commits at lists.llvm.org
Tue Aug 27 16:34:21 PDT 2024


https://github.com/tstellar created https://github.com/llvm/llvm-project/pull/106310

The .git/config file contains an auth token that can be leaked if the .git directory is included in a workflow artifact.

>From 394676b8c7239aec55cd4bebe7a999ead6bb6299 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Tue, 27 Aug 2024 16:27:18 -0700
Subject: [PATCH] workflows/release-binaries: Remove .git directory from
 artifacts

The .git/config file contains a auth token that can be leaked if
the .git directory is included in a workflow artifact.
---
 .github/workflows/release-binaries-save-stage/action.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release-binaries-save-stage/action.yml b/.github/workflows/release-binaries-save-stage/action.yml
index e2f3eeadd15bea..63d00255f6d8fb 100644
--- a/.github/workflows/release-binaries-save-stage/action.yml
+++ b/.github/workflows/release-binaries-save-stage/action.yml
@@ -18,6 +18,10 @@ runs:
     - name: Package Build and Source Directories
       shell: bash
       run: |
+        # Remove git directory so we avoid leaking secrets stored in .git/config.
+        # See https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
+        # This also helps reduce the size of the archive.
+        rm -Rf .git/
         # Windows does not support symlinks, so we need to dereference them.
         tar --exclude build/ ${{ (runner.os == 'Windows' && '-h') || '' }} -c . | zstd -T0 -c > ../llvm-project.tar.zst
         mv ../llvm-project.tar.zst .



More information about the llvm-commits mailing list