How to keep authentication private when integrating in CI (GitHub, GitLab, etc)

Hello there !

I wonder about a specific topic because I would like to integrate some mender management api in my continuous integration tests in GitHub/GitLab. My concern is about keeping the authentication material private, eg username/password or token that permit interaction with the api.

Difficulty: when accepting external contributions, anyone is able, through the CI to print environment variables or dump configuration or binary files in the shell, which mean they can access the secrets if not properly hidden.

I have imagined several things but at the moment I keep the followings:

  • using mender-cli in an external docker, with JSON configuration file mounted as a volume. But how to give access mender-cli without exposing the configuration file ? (As an additional note mender-cli doesn’t provide all api, but this is only current status and can change)
  • creating a specific service in a docker or other physical machine, that is invoked let say using http or TCP socket to execute commands on the mender api, and implemented such a way the secrets can t be returned to the executor. Of course all other access point closed, particularly ssh etc.

Mender-cli is designed to be used in CI. Anyone succeeded to solve this issue to not expose secrets ?

Anyone tried to do something looking like the second solution ? I will be pleased to contribute if something public has started. I imagine simple php pages or a service written in C or … Plenty of ideas :bulb:

If you are also interested by this topic, write to indicate your interest. I m already thinking if I dont find an existing and simple solution I will start a public work on that and share it on my GitHub:-D


Edit: other option is to require review and approval of pull requests from the external contributions to execute the CI each time it is updated. Should work for most cases probably, relies on seriousness of reviewers.
But what is engineering if not trying to find other nice solution to a problem ? :slight_smile:

1 Like

Hello @joelguittet ,
have you seen at Gihub/Gitlab security hardening when it comes to workflows or pipeline protection?

Github offers environments for deployment, and GitLab offers protected variables.
This way you ensure that your API secrets are enforced on protected branches/environments only, so cannot be accessed from an external PR.

Hello @robgio

Not bad, but purpose of the tests done in the CI are too ensure modifications don’t introduce regressions. So testing after merging when it come to master of other trusted branch is not what I m looking for.


My personal, crazy idea would be to pack Mender OSS into a container that gets spun up for the testing procedure and disposed after. Any leaked credential is absolutely worthless then.


Agree this is responding the topic, a bit of work here :slight_smile:
Also apply to hide the tenant token (firmware of devices should be built separately and config not visible from the CI, or provisioning to handle a way that the token is not visible).

Thinking about the topic … :thinking:


1 Like