[raycicmd] Add opt-in mount-ssh-agent support for docker plugin

[andrew-anyscale]

Add AllowMountSSHAgent to the global docker plugin config, gating whether individual steps can enable SSH agent forwarding via mount_ssh_agent. Pipelines that don't set allow_mount_ssh_agent in their config will ignore the per-step setting entirely, preserving least-privilege defaults.

Topic: mount-ssh-agent

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com
Signed-off-by: andrew andrew@anyscale.com

[andrew-anyscale]

Reviews in this chain:
└#460 [raycicmd] Add opt-in mount-ssh-agent support for docker plugin

[andrew-anyscale]

#	head	base	diff	date	summary
0	3a7227e1	ce65f90a	diff	Mar 17 10:29 AM	2 files changed, 19 insertions(+), 5 deletions(-)
1	f5f3452a	ce65f90a	diff	Mar 17 12:01 PM	6 files changed, 147 insertions(+), 17 deletions(-)
2	e58f1860	ce65f90a	diff	Mar 17 13:35 PM	0 files changed

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the CI/CD pipeline by integrating SSH agent forwarding into Docker plugin steps. This change facilitates secure access to external resources, such as private Git repositories, during the build process without embedding credentials directly into the build environment. The update ensures that necessary SSH credentials are automatically available to Docker containers, streamlining development workflows that rely on SSH authentication.

Highlights

• SSH Agent Mounting: Enabled the mount-ssh-agent option for all Linux Docker plugin steps, allowing builds to access SSH credentials forwarded from the host.
• Testing: Added a new unit test to verify that the mount-ssh-agent flag is correctly set to true in the Docker plugin configuration.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• raycicmd/bk_pipeline.go
  • Added the "mount-ssh-agent": true entry to the Docker plugin configuration map.
• raycicmd/bk_pipeline_test.go
  • Introduced a new test function, TestMakeRayDockerPlugin_mountSSHAgent, to validate the presence and value of the mount-ssh-agent key.

Activity

• No human activity has occurred on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request enables SSH agent forwarding for all Linux-based Docker plugin steps in Buildkite by adding mount-ssh-agent: true. While the implementation is straightforward and includes a new test, I have a significant security concern about enabling this feature globally. SSH agent forwarding should ideally be used sparingly to adhere to the principle of least privilege. I've recommended making this a configurable option. Additionally, I've provided a suggestion to improve the robustness of the new test case.

[gemini-code-assist]

Hardcoding mount-ssh-agent: true enables SSH agent forwarding for all docker plugin steps. This could pose a security risk by violating the principle of least privilege, as it exposes SSH credentials to containers that may not need them. It would be more secure to make this feature opt-in. Please consider adding a mountSSHAgent flag to stepDockerPluginConfig and conditionally adding this option only when that flag is true for specific steps that require SSH access.

[gemini-code-assist]

The current check got != true is not type-safe and can lead to confusing test failures. For example, if got was the string "true", the test would fail with a message like ... mount-ssh-agent = true, want true because of %v formatting. Using a type assertion ensures that the value is a boolean, and using %#v in the error message provides a clearer output on failure, making the test more robust.

Suggested change

	if got != true {
	t.Errorf("makeRayDockerPlugin() mount-ssh-agent = %v, want true", got)
	}
	if val, ok := got.(bool); !ok || !val {
	t.Errorf("makeRayDockerPlugin() mount-ssh-agent = %#v, want true", got)
	}