Replace docker/login-action with inline docker login#8694
Replace docker/login-action with inline docker login#8694
Conversation
Drop dependency on docker/login-action by replacing it with a simple docker login command. Just reduces our supply chain exposure a bit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| # Password or personal access token used to log against the Docker registry | ||
| password: ${{ secrets.DOCKER_PASSWORD}} | ||
| # Log out from the Docker registry at the end of a job | ||
| logout: true |
There was a problem hiding this comment.
We lose logout at the end of the job, but I think this is moot. The runner is discarded after each matrix run.
aarongable
left a comment
aarongable
left a comment
There was a problem hiding this comment.
LGTM, with the caveat that I'd like to see some sort of indication (e.g. in the PR description) that this is an accepted best-practice way to do this. GitHub Action supply chain dependency attacks are very real. They also protect us from very real accidental errors, like getting the difference between "$DOCKER_PASSWORD" and ${DOCKER_PASSWORD} wrong.
| # Log out from the Docker registry at the end of a job | ||
| logout: true | ||
| continue-on-error: true | ||
| run: printenv DOCKER_PASSWORD | docker login -u "$DOCKER_USERNAME" --password-stdin docker.io |
There was a problem hiding this comment.
This step should probably still have continue-on-error: true, so that versions of this workflow run in contexts that don't have access to our secrets can still download boulder-tools (subject to rate limits).
3 participants
Drop dependency on docker/login-action by replacing it with a simple
docker login command. Just reduces our supply chain exposure a bit.