Conversation

Notices

1. Embed this notice
   Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Sunday, 09-Feb-2025 23:17:24 JST Haelwenn /элвэн/ :triskell:

   • Adolph
   @captainepoch What's even the point of having a password on the key for CI/CD?
   • Hollow Cанëк likes this.
   • Embed this notice
     iced depresso (icedquinn@blob.cat)'s status on Sunday, 09-Feb-2025 23:27:28 JST iced depresso

     in reply to

     • Adolph
     • Δж3
     @ax3 @lanodan @captainepoch you can control the scope of what the key can be used to do by making a dedicated user the key belongs to and using posix/acl permissions on that user.
     
     although since its a build service you already are in for a bad day because they could do anything to your artifacts :neocat_woozy:
   • Embed this notice
     Δж3 (ax3@wizard.casa)'s status on Sunday, 09-Feb-2025 23:27:29 JST Δж3

     in reply to

     • iced depresso
     • Adolph

     @lanodan @captainepoch @icedquinn if you're ci runner or action's ssh implementation supports it using a secret stored as the envvar SSH_PASSPHRASE should work. notably this works in gitlab. from a posture standpoint it makes more sense to have a dedicated ed25519 key just for ci/cd jobs with no passphrase. you're creating more complexity than security with the proposed setup.