Other Registries
If we hosted our images anywhere other than GHCR, we could push and sign in PRs
B
bsherman•23d ago
talk to me about this
i feel dense, and i've tried to understand more deeply this issue, but i still feel somewhat ignorant
P
p5•23d ago
So...
Currently our actions use a single GITHUB_TOKEN secret (abstracted from us) which provides read/write permissions to all registries in that GitHub repo. Any PR has access to this GITHUB_TOKEN, so could in theory overwrite the "production" tags (user-facing tags - i.e. ":latest"). If we had two Quay (or other provider) registries, we can store credentials for each in GitHub Actions. One "production" registry with creds only accessible from the main branch in GitHub, and another "sandbox" registry with creds accessible in PRs. So a build in a PR will use the sandbox credentials, and the exact same workflow running from the main branch would have access to the prod registry credentials. There's no way for an image built and pushed from a PR would end up in the production registry. We could even sign with a different key The only requirement for this to work is separate credentials for each registry
Currently our actions use a single GITHUB_TOKEN secret (abstracted from us) which provides read/write permissions to all registries in that GitHub repo. Any PR has access to this GITHUB_TOKEN, so could in theory overwrite the "production" tags (user-facing tags - i.e. ":latest"). If we had two Quay (or other provider) registries, we can store credentials for each in GitHub Actions. One "production" registry with creds only accessible from the main branch in GitHub, and another "sandbox" registry with creds accessible in PRs. So a build in a PR will use the sandbox credentials, and the exact same workflow running from the main branch would have access to the prod registry credentials. There's no way for an image built and pushed from a PR would end up in the production registry. We could even sign with a different key The only requirement for this to work is separate credentials for each registry
B
bsherman•23d ago
thank you for a good explanation.
it seems this 100% is tied to the fact that the default GITHUB_TOKEN is used for everything in github actions
simple to understand when you explain it like this 😄
J
j0rge•23d ago
I'd be down to use/push to quay.io - ideally later
because there could also be people who have bad github connectivity.
N
Noel•23d ago
I am going to implement this in my own custom image.
As a proof of concept.
I already push and sign PR images anyway because my use case is so simple and I have no contributors on it.
P
p5•23d ago
All we'd need to switch over is a systemd unit that runs the rebase command I think. Add it in the final image pushed to GHCR and remove it in the first image pushed to Quay
N
Noel•23d ago
as far as removing our key?
P
p5•23d ago
I think our key can stay. I was meaning to automate
rpm-ostree rebase
to the new quay registryN
Noel•23d ago
Also @j0rge I think we should be on more than just ghcr and quay. I think we should be on the docker registry too.
J
j0rge•23d ago
yeah but that one is more complicated
N
Noel•23d ago
the docker registry? how so?
J
j0rge•23d ago
ratelimiting etc.
N
Noel•23d ago
oh, would we have to pay or something?
J
j0rge•23d ago
like we have to apply to be exempt, it's paperwork
agree we should tho
N
Noel•23d ago
helps avoid a single point of failure.
though if Github goes down, we are screwed anyway lol
P
p5•23d ago
I want a proxy infront of them all
Might experiment tonight
N
Noel•23d ago
actually.
that is a really good idea.
we could do a hosted proxy through cloudflare or something.
P
p5•23d ago
I'd love to say it was my own, but it's been mentioned before
J
j0rge•23d ago
we investigated this earlier in the project but nacked it
N
Noel•23d ago
if we had a proxy, folks could pull down from whatever registry is closest to them
J
j0rge•23d ago
(it's why ublue.it exists)
N
Noel•23d ago
yeah, I don't think it is a big enough problem, ghcr has served us well enough.
I do think having a separate sandbox registry would solve our problem though for PRs.
M
M2•23d ago
Would also be nice to show people you could point to your own caching registry if you want to only pull from the registries to one local server
B
bsherman•17d ago
the gitea discussion in #🦈bluefin got me wondering about this thread again...
so... we need distinct credentials...
What about this idea?
Create a PAT which only allows publishing images to GHCR on a distinct Github org (eg, https://github.com/ublue-os-test/) and provide said PAT to our workflows, then our workflows can publish all PRs to that location.
hmm... it works, I guess, but doesn't protect from a bad actor changing the workflow in PR to publish to our main repo
P
p5•17d ago
Would kinda need to be the other way around - move the "production" registry to another org.
We can restrict access to secrets based on the branches, but not restrict usage of GITHUB_TOKEN
B
bsherman•17d ago
exactly
i wonder if we can remove the "publish to registry" provilege from the GITHUB_TOKEN default permissions... then we can use a PAT by environment for both PRODUCTION (ublue-os) and STAGING (ublue-os-test)
P
p5•17d ago
GITHUB_TOKEN permissions are not able to be limited like that. You can set the default permissions for each repo / the entire org to read-only, but can't prevent someone adding
permissions:\n packages: write
in the workflowB
bsherman•17d ago
i think we can
hmm
P
p5•17d ago
YES! That would work!
B
bsherman•17d ago
B
bsherman•17d ago
I DO think we probably need to implement an org management tool to enforce settings/permissions before trying to implement something like this...
seems easy to miss something manually
P
p5•17d ago
No API for this setting when I checked 2 months ago 😦
B
bsherman•17d ago
@j0rge forgive me for asking probably the 10th time... what's the latest product you think we should try for org management?
i want to create an issue in project plan
J
j0rge•17d ago
Minder
I thought I disconnected from it so you could manage it?
B
bsherman•17d ago
you did... but I lose track of things quickly without a tracker 😄
https://github.com/stacklok/minder
J
j0rge•17d ago
You want their cloud service
B
bsherman•17d ago
draft item in project
J
j0rge•17d ago
I'll be home soon and whack in some details
B
bsherman•17d ago
Goal for doing environments to enable pushing images on PRs
https://github.com/orgs/ublue-os/projects/1/views/1?pane=issue&itemId=61241610
@Noel
@Kyle Gospo
@EyeCantCU
4.4KMembers
View on DiscordWant results from more Discord servers?
More PostsUpdate failing today on :testingAs of today I see this error when running rpm-ostree upgrade:
```rpm-ostree upgrade
Pulling manifesHow to install font?I want to install a font for correct kaomoji display in discord. How I have to do that?proton local build distbox?I am trying to build local proton. Version with distrobox but keep getting this error any ideas how Update bazziteI'm new to all this, trying to get my head around how updates work.
I've had the first install versVirt-manager has spice-vdagent that youVirt-manager has spice-vdagent that you need to install first for things like the clipboard and winddelete per game configHi,
I moved the refresh rate slider on the QAM on my win mini, the screen started to display incorredo you see an edit button on that page?do you see an edit button on that page? I wanna check permsF40 ReleaseFedora 40 Release Thread!!!Waydroid in portrait modeIs anyone able to run Waydroid in portrait mode on the Legion Go? I tried setting the height and widRead-only filesystem error when running command to fix Sunshine KMS display captureI have read-only filesystem error when sudo setcap cap_sys_admin+p /usr/bin/sunshine when sunshine iGRUB and DESKTOP helpHello, I would like to un-hide grub and boot into desktop mode by default. How can I do this?How to hide Cyan Line at bottom of screenUsing bazzite-asus-nvidia:40, on the bottom of the screen is a 1px tall cyan/azure line that will caBazzite 40 About: No longer NVidiaKDE Wayland About is showing Mesa Intel instead of NVidia. I am not sure if everything is fine, willProtontricks install out of date on bazziteHey guys I just wanted to bring to the dev teams attention that the current installed version of proBluetooth PS5 Controller connectivity issuesHave mentioned this a few times in #🎮bazzite, but not been able to resolve this yet. I have just reOneDrive in BazziteHi guys, these days I'm eyeing to ditch Windows completely but have a question - does abraunegg's OnAlt-tab / Forcing a certain controller / web browser through deckyNot NEW to Linux, but it’s been near a decade since I’ve really used it. Regardless, I recently put deck oled - gamescopeGamescope is unable to detect GPU usage and temperatures. I am currently on
● ostree-unverified-regHelldivers 2 GameGuard Error: 255Hello i recently install bazzite in a dual boot configuration i have created a seperate partition foBazzite Desktop- 8BitDo Controllers acting weirdHey! Love the OS, I mainly play fighting games and I've noticed something weird in my inputs.
Differ