Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: updating docker provenance generator to use repo vars/secrets for docker registry access #422

Merged
merged 3 commits into from
Aug 5, 2024
Merged

build: updating docker provenance generator to use repo vars/secrets for docker registry access #422

merged 3 commits into from
Aug 5, 2024

Conversation

rsoberano-ld
Copy link
Contributor

Requirements

  • I have added test coverage for new or changed functionality
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions

Related issues

Provide links to any issues in this repository or elsewhere relating to this pull request.

Describe the solution you've provided

Docker provenance generator needs repository credentials to publish provenance alongside the Docker image. However, the GITHUB_TOKEN referenced in the generator documentation doesn't work in our case, we need the same docker creds we use to publish the image in the first place.

Unfortunately, we can't safely pass credentials pulled from SSM in one workflow to the provenance generation workflow, so the most straightforward way to do this was configure the docker user/pass as a repository variable/secret via Terraform https://github.com/launchdarkly/terraform/pull/14600 and referencing it directly in the reusable workflow.

As a side note, we should be able to get rid of that SSM retrieval step now, but I want to make sure this works with the provenance generation workflow first to avoid breaking the build workflow.

Describe alternatives you've considered

Provide a clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context about the pull request here.

@rsoberano-ld rsoberano-ld requested a review from a team as a code owner July 29, 2024 22:54
cwaldren-ld
cwaldren-ld reviewed Aug 5, 2024
View reviewed changes
.github/workflows/release-please.yml Outdated
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.DOCKER_TOKEN }}
Copy link
Contributor

@cwaldren-ld cwaldren-ld Aug 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a newline and it should be good to merge 👍

@cwaldren-ld cwaldren-ld merged commit 1c090ae into v8 Aug 5, 2024
8 checks passed
@cwaldren-ld cwaldren-ld deleted the rsoberano/SEC-5331/ld-relay-sigstore-slsa-fix-5 branch August 5, 2024 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cwaldren-ld cwaldren-ld cwaldren-ld approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rsoberano-ld @cwaldren-ld