Remove any need for using long-lived secrets from CI #159
Labels
carvel accepted
This issue should be considered for future work and that the triage process has been completed
enhancement
This issue is a feature request
priority/important-soon
Must be staffed and worked on currently or soon.
Describe the problem/challenge you have
We did this:
by plumbing our DockerHub credentials into the workflow.
However, GitHub does not supply the
secrets
context to workflows running from a fork of a public repo (docs).So, our workflow failed for such pull requests:
on account that the secret is empty and the script initially didn't account for that condition.
This means that contributors that must use a fork of the repo are subject to DockerHub's rate limiting, again.
Describe the solution you'd like
Be able to run a complete end-to-end test without requiring sensitive data.
This could be:
Anything else you would like to add:
Bonus points if that registry could be deployed with TLS enabled and secured (i.e. fitted with ephemeral credentials).
There's a test that's currently being skipped on the account of the deployed registry not being secure:
https://github.com/vmware-tanzu/carvel-kbld/blob/7c1bb9b04735ce94d3edfe3faa4f4181e51ebbc3/test/e2e/build_kubectl_buildkit_test.go#L58-L64
Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you want to help working on this issue.
The text was updated successfully, but these errors were encountered: