MozillaWiki

GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions

Page Discussion

GitHub/Repository Security/GitHub Workflows & Actions (view source)

Revision as of 15:42, 9 April 2025

210 bytes added ,  9 April
m
moving recommendation about excluding gcp token file under .dockerignore guidelines
m (Just changing the spacing on the page)
m (moving recommendation about excluding gcp token file under .dockerignore guidelines)
Line 80: Line 80:


==== Recommendations ====
==== Recommendations ====
* '''Exclude Version Control Directories''': Add <code>.git/</code> to your <code>.dockerignore</code> file to prevent the inclusion of Git history and metadata in your Docker image, thereby reducing image size and avoiding potential exposure of sensitive information.
* '''Exclude Version Control Directories''': Add <code>.git/</code> to your <code>.dockerignore</code> file to prevent the inclusion of Git configuration which could include the authentication token, history and metadata in your Docker image, thereby reducing image size and avoiding potential exposure of sensitive information.
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
.git/
.git/
Line 94: Line 94:
*.log
*.log
*.tmp
*.tmp
</syntaxhighlight>
* '''Exclude GitHub Actions Credential Files''': Exclude credential JSON files (<code>gha-creds-*.json</code>) used in GitHub Actions workflows to avoid inadvertently including authentication data in Docker images. Alternatively, build Docker images before running the <code>google-github-actions/auth@v2</code> step in your GitHub workflow, ensuring these credentials aren't present in your build context.
<syntaxhighlight lang="bash">
gha-creds-*.json
</syntaxhighlight>
==== Sample <code>.dockerignore</code> file ====
<syntaxhighlight lang="bash">
.git/
node_modules/
*.log
*.tmp
gha-creds-*.json
</syntaxhighlight>
</syntaxhighlight>


Line 102: Line 118:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
.env
.env
</syntaxhighlight>
* '''Exclude GitHub Actions Credential Files''': Exclude credential JSON files (<code>gha-creds-*.json</code>) used in GitHub Actions workflows to avoid inadvertently including authentication data in Docker images. Alternatively, build Docker images before running the <code>google-github-actions/auth@v2</code> step in your GitHub workflow, ensuring these credentials aren't present in your build context.
<syntaxhighlight lang="bash">
gha-creds-*.json
</syntaxhighlight>
</syntaxhighlight>


Fkiriakos
Confirmed users
7

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1253792"