Fix license handling #2
Conversation
|
It's a little tricky to do that because the current workflow only has access to the path to the YAML input file, not to the output directory itself. The python script assumes the output should go in the same directory as the YAML file, though, so I guess that's a safe assumption for the shell code too. Working on that change now! |
there are three assumptions encoded here that are shared with `main.py`. first, the output is expected to be written in the same directory as the input YAML file; second, the output subdirectory is expected to be called `output`; and third, the desired output files are `dde.csv`, `icrmsd.csv`, `rmsd.csv`, and `tfd.csv`
|
Good call on that. As written, I think it also would have tried to add the output SQLite file, which I had ignored in my first draft of this repo but not in this one. |
| shell: bash -l {0} | ||
| run: | | ||
| set -e | ||
| echo "$LICENSE" > /tmp/oe_license.txt |
There was a problem hiding this comment.
Just double-checking my understanding, this spits out the license to file but it's encrypted, or otherwise not accessible from a third-party attacker?
There was a problem hiding this comment.
Thanks for the review! Yeah, at least to my understanding, this writes the license to a plain file, but it should be restricted to our instance of the GitHub runner, although it's not encrypted.
The only difference between this and the yammbs CI is where the secret is stored. In yammbs it's ${{ github.workspace }}/oe_license.txt, which expands to /home/runner/work/yammbs/yammbs/oe_license.txt. I chose /tmp here to keep it out of the repo in case of any errant git add commands. Of course, with the gitignore and removing the license after using it, it should be safer to write it somewhere else if you prefer. $HOME could be another option, if we're worried specifically about /tmp.
There was a problem hiding this comment.
Yup all good ideas I think
Based on my failing test run,
${{ github.workspace }}just points to the directory where the runner is running code, not to the directory of organization secrets like I thought. I took this line from here in yammbs, but I didn't notice the secondOE_LICENSEsection here, which actually writes the${{ secrets.OE_LICENSE }}to a file. This PR restores my earlierOE_LICENSEhandling (writing it to/tmp) and adds two further safeguards against committing the license to the repo:oe_license.txtin the .gitignore filerm $OE_LICENSEbefore doing any git operations