feat(sconify)!: move usernames to secret and ouput tags#77
feat(sconify)!: move usernames to secret and ouput tags#77SeddikBellamine merged 3 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enhances security by moving Docker registry and Scontain usernames from public variables to secrets, and modifies outputs to return only image tags instead of full image names to prevent secret exposure in workflow outputs.
- Moves
docker-usernameandscontain-usernamefrom workflow inputs to secrets - Changes outputs from full image names to tags only (
debug-image→debug-image-tag,prod-image→prod-image-tag) - Updates documentation to reflect the new secret-based configuration approach
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| sconify/README.md | Updates documentation to reflect username secrets and tag-only outputs |
| .github/workflows/sconify.yml | Converts username inputs to secrets and modifies outputs to use tags |
.github/workflows/sconify.yml
Outdated
| echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.prod-image }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" | tee -a "$GITHUB_OUTPUT" | ||
| echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.prod-image }})" | tee -a "$GITHUB_OUTPUT" |
There was a problem hiding this comment.
The variable reference prod-image should be updated to use the new image repository and tag format: ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }}
| echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.prod-image }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" | tee -a "$GITHUB_OUTPUT" | |
| echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.prod-image }})" | tee -a "$GITHUB_OUTPUT" | |
| echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" | tee -a "$GITHUB_OUTPUT" | |
| echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }})" | tee -a "$GITHUB_OUTPUT" |
…ebug-image and prod-image
PierreJeanjacquot
changed the title
PierreJeanjacquot
force-pushed
the
sconify-v2
branch
from
496cd37 to
fcb1bcf
Compare
SeddikBellamine
left a comment
SeddikBellamine
left a comment
There was a problem hiding this comment.
Seems valid to me, I’m just going to test the sconification with the version from the branch, once that’s validated, we’ll merge and release, wdyt ?
I let you merge the PR when you are happy with it, release-please should create a v2.0.0 release PR, feel free to merge it 👍 |
2 participants
BREAKING
docker usernames are now secrets
image names is no longer output because it can contain secret (username), instead only tags are output
workflow test: https://github.com/PierreJeanjacquot/GA-tests/actions/runs/16197621644