If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

[TaskCluster GitHub] Support jobs against private repos.

RESOLVED WORKSFORME

Status

Taskcluster
Github
RESOLVED WORKSFORME
2 years ago
6 months ago

People

(Reporter: mrrrgn, Unassigned)

Tracking

Details

(Reporter)

Description

2 years ago
This will require a working secrets system, so that we can distributed a private key to tasks that need to check out private repositories.
(Reporter)

Updated

2 years ago
Summary: [Taskcluster GitHub] Support jobs against private repos. → [TaskCluster GitHub] Support jobs against private repos.
(Reporter)

Updated

2 years ago
Depends on: 1214905
(Reporter)

Updated

2 years ago
Assignee: nobody → winter2718
No longer depends on: 1214905
(Reporter)

Updated

2 years ago
Blocks: 1214907
(Reporter)

Comment 1

2 years ago
The next step here is to add an endpoint to taskcluster github that allows repository owners to set secrets for their repository. Then tc-gh can start jobs along with a secrets proxy that has read only credentials for the secrets. see: http://docs.taskcluster.net/services/secrets/
(Reporter)

Updated

2 years ago
Assignee: winter2718 → nobody
(Reporter)

Comment 2

2 years ago
I'd be willing to mentor this bug.
Component: Other → Github
Product: Release Engineering → Taskcluster
QA Contact: mshal

Comment 3

6 months ago
This should no longer be an issue.  We now have an awesome github integration that repos can install to get access to our tc-gh scheduling and with a little setup, secrets can be added for a given repo that can be used in tasks.

Our open cloud configuration setup for windows workers does just this....new commits will trigger tasks that pull some secrets from our secrets store to be able to publish new AMIs.

That said, one thing to note is that while you are technically able to retrieve secrets within these tasks, there is the potential of leaking them in the logs.  only docker-worker allows one to specify an alternative log location as far as I'm aware that make those logs private.
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.