diff options
| author | Harmen Stoppels <harmenstoppels@gmail.com> | 2020-07-17 02:27:37 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-07-16 17:27:37 -0700 |
| commit | 1fcc00df96325bbe83ad8ed90e1f5783bf26fcfb (patch) | |
| tree | 3611a2e26b010168b4d7eb6d3d472dc2eac71a14 /lib | |
| parent | 697c2183d3b364e05800a9b30c7c92f240e19273 (diff) | |
| download | spack-1fcc00df96325bbe83ad8ed90e1f5783bf26fcfb.tar.gz spack-1fcc00df96325bbe83ad8ed90e1f5783bf26fcfb.tar.bz2 spack-1fcc00df96325bbe83ad8ed90e1f5783bf26fcfb.tar.xz spack-1fcc00df96325bbe83ad8ed90e1f5783bf26fcfb.zip | |
Fix security issue in CI (#17545)
The `spack-build-env.txt` file may contains many secrets, but the obvious one is the private signing key in `SPACK_SIGNING_KEY`. This file is nonetheless uploaded as a build artifact to gitlab. For anyone running CI on a public version of Gitlab this is a major security problem. Even for private Gitlab instances it can be very problematic.
Co-authored-by: Scott Wittenburg <scott.wittenburg@kitware.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/spack/spack/ci.py | 9 | ||||
| -rw-r--r-- | lib/spack/spack/test/cmd/ci.py | 1 |
2 files changed, 1 insertions, 9 deletions
diff --git a/lib/spack/spack/ci.py b/lib/spack/spack/ci.py index 732b985dd1..3b92dd4109 100644 --- a/lib/spack/spack/ci.py +++ b/lib/spack/spack/ci.py @@ -1043,17 +1043,10 @@ def copy_stage_logs_to_artifacts(job_spec, job_log_dir): tty.debug('job package: {0}'.format(job_pkg)) stage_dir = job_pkg.stage.path tty.debug('stage dir: {0}'.format(stage_dir)) - build_env_src = os.path.join(stage_dir, 'spack-build-env.txt') build_out_src = os.path.join(stage_dir, 'spack-build-out.txt') - build_env_dst = os.path.join( - job_log_dir, 'spack-build-env.txt') build_out_dst = os.path.join( job_log_dir, 'spack-build-out.txt') - tty.debug('Copying logs to artifacts:') - tty.debug(' 1: {0} -> {1}'.format( - build_env_src, build_env_dst)) - shutil.copyfile(build_env_src, build_env_dst) - tty.debug(' 2: {0} -> {1}'.format( + tty.debug('Copying build log ({0}) to artifacts ({1})'.format( build_out_src, build_out_dst)) shutil.copyfile(build_out_src, build_out_dst) except Exception as inst: diff --git a/lib/spack/spack/test/cmd/ci.py b/lib/spack/spack/test/cmd/ci.py index 2afe43cce5..afa7c7fc07 100644 --- a/lib/spack/spack/test/cmd/ci.py +++ b/lib/spack/spack/test/cmd/ci.py @@ -751,7 +751,6 @@ spack: logs_dir_list = os.listdir(logs_dir.strpath) - assert('spack-build-env.txt' in logs_dir_list) assert('spack-build-out.txt' in logs_dir_list) # Also just make sure that if something goes wrong with the |