[llvm] workflows/release-binaries: Remove .git directory from artifacts (PR #106310)
via llvm-commits
llvm-commits at lists.llvm.org
Tue Aug 27 16:34:57 PDT 2024
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-github-workflow
Author: Tom Stellard (tstellar)
<details>
<summary>Changes</summary>
The .git/config file contains an auth token that can be leaked if the .git directory is included in a workflow artifact.
---
Full diff: https://github.com/llvm/llvm-project/pull/106310.diff
1 Files Affected:
- (modified) .github/workflows/release-binaries-save-stage/action.yml (+4)
``````````diff
diff --git a/.github/workflows/release-binaries-save-stage/action.yml b/.github/workflows/release-binaries-save-stage/action.yml
index e2f3eeadd15bea..63d00255f6d8fb 100644
--- a/.github/workflows/release-binaries-save-stage/action.yml
+++ b/.github/workflows/release-binaries-save-stage/action.yml
@@ -18,6 +18,10 @@ runs:
- name: Package Build and Source Directories
shell: bash
run: |
+ # Remove git directory so we avoid leaking secrets stored in .git/config.
+ # See https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
+ # This also helps reduce the size of the archive.
+ rm -Rf .git/
# Windows does not support symlinks, so we need to dereference them.
tar --exclude build/ ${{ (runner.os == 'Windows' && '-h') || '' }} -c . | zstd -T0 -c > ../llvm-project.tar.zst
mv ../llvm-project.tar.zst .
``````````
</details>
https://github.com/llvm/llvm-project/pull/106310
More information about the llvm-commits
mailing list