From 24dff9cf20e6a7592eb56e734f1cf4563db8a29d Mon Sep 17 00:00:00 2001 From: Harmen Stoppels Date: Fri, 17 Jul 2020 02:27:37 +0200 Subject: Fix security issue in CI (#17545) The `spack-build-env.txt` file may contains many secrets, but the obvious one is the private signing key in `SPACK_SIGNING_KEY`. This file is nonetheless uploaded as a build artifact to gitlab. For anyone running CI on a public version of Gitlab this is a major security problem. Even for private Gitlab instances it can be very problematic. Co-authored-by: Scott Wittenburg --- lib/spack/spack/ci.py | 9 +-------- lib/spack/spack/test/cmd/ci.py | 1 - 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/lib/spack/spack/ci.py b/lib/spack/spack/ci.py index 55d311d6a5..3c6812041f 100644 --- a/lib/spack/spack/ci.py +++ b/lib/spack/spack/ci.py @@ -1043,17 +1043,10 @@ def copy_stage_logs_to_artifacts(job_spec, job_log_dir): tty.debug('job package: {0}'.format(job_pkg)) stage_dir = job_pkg.stage.path tty.debug('stage dir: {0}'.format(stage_dir)) - build_env_src = os.path.join(stage_dir, 'spack-build-env.txt') build_out_src = os.path.join(stage_dir, 'spack-build-out.txt') - build_env_dst = os.path.join( - job_log_dir, 'spack-build-env.txt') build_out_dst = os.path.join( job_log_dir, 'spack-build-out.txt') - tty.debug('Copying logs to artifacts:') - tty.debug(' 1: {0} -> {1}'.format( - build_env_src, build_env_dst)) - shutil.copyfile(build_env_src, build_env_dst) - tty.debug(' 2: {0} -> {1}'.format( + tty.debug('Copying build log ({0}) to artifacts ({1})'.format( build_out_src, build_out_dst)) shutil.copyfile(build_out_src, build_out_dst) except Exception as inst: diff --git a/lib/spack/spack/test/cmd/ci.py b/lib/spack/spack/test/cmd/ci.py index 2afe43cce5..afa7c7fc07 100644 --- a/lib/spack/spack/test/cmd/ci.py +++ b/lib/spack/spack/test/cmd/ci.py @@ -751,7 +751,6 @@ spack: logs_dir_list = os.listdir(logs_dir.strpath) - assert('spack-build-env.txt' in logs_dir_list) assert('spack-build-out.txt' in logs_dir_list) # Also just make sure that if something goes wrong with the -- cgit v1.2.3-60-g2f50