Option to override credential path

[wyardley]

TL;DR

It doesn't appear there's a way to override the credential path outside of the workspace? This has the effect of including the credentials if a Docker build is done and there's a top level COPY . with gha-credentials* not in .dockerignore.

Obviously there are a couple of easy fixes (adding to .dockerignore, not using COPY .), but this is messy at best, even if the credentials leaked would likely not be usable for long.

auth/src/main.ts

Lines 150 to 153 in 71f9864

	// This has the unintended side-effect of leaking credentials over time,
	// because GITHUB_WORKSPACE is not automatically cleaned up on self-hosted
	// runners. To mitigate this issue, this action defines a post step to
	// remove any created credentials.

I see some of the notes about why this is so, but would it be possible to make the behavior more configurable, either to allow a user specified path, or to have some option that would create the credentials outside of the workspace, like in a temporary directory?

Detailed design

No response

Additional information

I think I could probably set create_credentials_file to false for now -- I don't need it, and had thought the default was false, but I may need it in the future for another step in my build anyway.

[github-actions]

Hi there @wyardley 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

You can mv it in a second step to any location (and one of the outputs has the full filename)

[wyardley]

You can mv it in a second step to any location (and one of the outputs has the full filename)

@sethvargo fair enough; I think I've got a couple of viable workarounds anyway. At that point, though, wouldn't you also have to update $GOOGLE_APPLICATION_CREDENTIALS, $GOOGLE_GHA_CREDS_PATH, etc?

I sort of understand the suggested workaround (and understand that you probably wouldn't want breaking changes), but given that creating credentials is default, I would have thought there would be some benefits to writing the creds (and setting the path in env vars) to a temporary path, and provide workarounds for those folks who do need to access the creds within Docker?

I feel like the current behavior is messy / unexpected (even if the actual security risks), though I do now see that it's documented in the README

[sethvargo]

It's something we plan to revisit in a future major release (where we do breaking changes).

[wyardley]

Awesome. Thanks for the quick response!

[sakojun]

I would prefer that the default behavior be to save them in a temporary directory. I think it is important to reduce the risk of accidental inclusion.