forked from TheAlgorithms/Python
-
Notifications
You must be signed in to change notification settings - Fork 0
126 lines (106 loc) · 4.21 KB
/
secret_artifact_test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: Secret and Artifact Leakage Test
on:
workflow_dispatch: # 手动触发
jobs:
test:
runs-on: self-hosted
steps:
# 1. 检出代码仓库
- name: Checkout Repository
uses: actions/checkout@v2
# 2. 缓存 Node.js 依赖(如果有 package-lock.json)
- name: Cache Node modules
uses: actions/cache@v2
with:
path: node_modules
key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
# 3. 设置 Node.js 环境
- name: Setup Node.js
uses: actions/setup-node@v2
with:
node-version: '14'
# 4. 安装 npm 依赖(如果 package.json 存在)
- name: Install npm dependencies
run: |
if [ -f package.json ]; then
npm install
else
echo "No package.json found. Skipping npm install."
fi
# 5. 安全使用 Secret:通过环境变量引用
- name: Safe Secret Usage (Env Variable)
env:
DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
run: |
echo "Safe usage: DB_PASSWORD is $DB_PASSWORD"
# GitHub 会自动将 DB_PASSWORD 的值屏蔽为 ***
# 6. 不安全使用 Secret:直接作为参数传递
- name: Unsafe Secret Usage (Inline)
run: echo "Unsafe usage-- DB_PASSWORD is ${{ secrets.DB_PASSWORD }}"
# 此方式风险较高,部分 CLI 工具可能将完整值输出到日志中
# 7. 将 Secret 写入文件(模拟 Artifact 中泄露敏感信息)
- name: Write Secret to File
run: echo "Secret in file-- ${{ secrets.DB_PASSWORD }}" > secret.txt
# 8. 上传包含 Secret 的文件作为 Artifact
- name: Upload Secret File Artifact
uses: actions/upload-artifact@v2
with:
name: secret-artifact
path: secret.txt
# 9. 缓存 pip 依赖(如果有 requirements.txt)
- name: Cache pip packages
uses: actions/cache@v2
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
# 10. 设置 Python 环境
- name: Setup Python
uses: actions/setup-python@v2
with:
python-version: '3.8'
# 11. 安装 pip 依赖(如果 requirements.txt 存在)
- name: Install pip dependencies
run: |
if [ -f requirements.txt ]; then
pip install -r requirements.txt
else
echo "No requirements.txt found. Skipping pip install."
fi
# 12. Docker 构建:构建当前目录下的 Docker 镜像
- name: Build Docker Image
run: |
if [ -f Dockerfile ]; then
docker build -t secret-tester:latest .
else
echo "No Dockerfile found. Skipping Docker build."
fi
# 13. 将构建的 Docker 镜像保存为 tar 包
- name: Save Docker Image to Tarball
run: |
if docker image inspect secret-tester:latest > /dev/null 2>&1; then
docker save secret-tester:latest -o secret-tester.tar
else
echo "Docker image not built. Skipping save."
fi
# 14. 上传 Docker 镜像 tar 包作为 Artifact(可选)
- name: Upload Docker Image Artifact
uses: actions/upload-artifact@v2
with:
name: docker-image-artifact
path: secret-tester.tar
# 15. 推送 Docker 镜像到 GitHub Container Registry (GHCR)
- name: Push Docker Image to GHCR
env:
# 需在仓库 Secrets 中设置 CR_PAT (GitHub Personal Access Token)
CR_PAT: ${{ secrets.CR_PAT }}
run: |
# 登录到 GHCR,使用 GitHub 用户名和 PAT
echo $CR_PAT | docker login ghcr.io -u ${{ github.actor }} --password-stdin
# 输出当前镜像列表(调试用)
docker images
# 标记镜像为 GHCR 格式(格式:ghcr.io/用户名/镜像名:标签)
docker tag secret-tester:latest ghcr.io/${{ github.repository_owner }}/secret-tester:latest
# 再次输出镜像信息以确认标签更改
docker images
# 推送镜像
docker push ghcr.io/${{ github.repository_owner }}/secret-tester:latest