(not for commit) Use blacksmith for docker#132

Draft

thekondor wants to merge 1 commit intomainfrom

CORE-1504__use-blacksmith-docker

Contributor

thekondor commented Oct 23, 2025 •

edited

Loading

Copy of docker with changes to ease referring to the file (instead hashes in path etc). Either dropped or renamed back to docker.yml.

Ticket: https://remerge.atlassian.net/browse/CORE-1502


          Use blacksmith for docker

541a603

thekondor requested a review from a team as a code owner

October 23, 2025 07:03

remerge-hal added the CORE label

remerge-hal commented Oct 23, 2025

This comment ensures that the correct Slack channel is notified after the team/project label CORE has been added to this pull request.

See this comment for details.

thekondor self-assigned this

github-advanced-security bot found potential problems

View reviewed changes

.github/workflows/docker-blacksmith.yml

+                    - if: ${{ env.use_deprecated_ssh_var == 'false' }}
+                      name: Set up SSH
+                      uses: webfactory/ssh-agent@v0.9.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Docker build (and push to GAR)' step

uses 'webfactory/ssh-agent' with ref 'v0.9.0', not a pinned commit hash

.github/workflows/docker-blacksmith.yml

+                    - if: ${{ env.use_deprecated_ssh_var == 'true' }}
+                      name: Set up SSH
+                      uses: webfactory/ssh-agent@v0.9.0

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Docker build (and push to GAR)' step

uses 'webfactory/ssh-agent' with ref 'v0.9.0', not a pinned commit hash

.github/workflows/docker-blacksmith.yml

+                          ${{ inputs.gen-cache-path}}
+                    - name: Set up Docker Buildx
+                      uses: useblacksmith/setup-docker-builder@v1

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Docker build (and push to GAR)' step

uses 'useblacksmith/setup-docker-builder' with ref 'v1', not a pinned commit hash

.github/workflows/docker-blacksmith.yml

+                    - if: ${{ env.use_workload_identity == 'false' }}
+                      name: Authenticate with Google Cloud (Service Account Key)
+                      id: auth
+                      uses: google-github-actions/auth@v2

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Docker build (and push to GAR)' step

uses 'google-github-actions/auth' with ref 'v2', not a pinned commit hash

.github/workflows/docker-blacksmith.yml

+                      if: ${{ env.use_workload_identity == 'false' }}
+                      run: |
+                        docker login -u _json_key \
+                        --password-stdin ${{ inputs.registry }} < ${{ steps.auth.outputs.credentials_file_path }}

Check warning

Code scanning / CodeQL

Code injection Medium

Potential code injection in

, which may be controlled by an external user.

Copilot Autofix

AI 4 months ago

To fix this problem, we should avoid direct use of ${{ inputs.registry }} inside the shell script. Instead, declare an environment variable (e.g., REGISTRY) set to ${{ inputs.registry }} in the workflow step, then reference $REGISTRY inside the shell script using native shell syntax (double quotes). This is best-practice for preventing code injection because it removes the risk of parsing user input as shell code. Only edit the affected step(s), leaving other functionality untouched.

Specifically, edit the step at original line 231, modifying its declaration to add the environment variable and reference it natively as $REGISTRY in the script. No additional dependencies or imports are required.

Suggested changeset 1

.github/workflows/docker-blacksmith.yml

@@ -228,9 +228,11 @@
                   - name: Docker login (Google Crediential file)
                     if: ${{ env.use_workload_identity == 'false' }}
+                    env:
+                      REGISTRY: ${{ inputs.registry }}
                     run: |
                       docker login -u _json_key \
-                      --password-stdin ${{ inputs.registry }} < ${{ steps.auth.outputs.credentials_file_path }}
+                      --password-stdin "$REGISTRY" < ${{ steps.auth.outputs.credentials_file_path }}
                   # Auth with workload-identity
                   # to become defacto

Copilot is powered by AI and may make mistakes. Always verify output.

.github/workflows/docker-blacksmith.yml

+                    - id: auth_with_workload_identity
+                      name: Authenticate with Google Cloud (Workload Identity)
+                      if: ${{ env.use_workload_identity == 'true' }}
+                      uses: google-github-actions/auth@v2

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Docker build (and push to GAR)' step

uses 'google-github-actions/auth' with ref 'v2', not a pinned commit hash

.github/workflows/docker-blacksmith.yml

+                        workload_identity_provider: ${{ inputs.workload-identity-provider }}
+                        service_account: ${{ inputs.service-account }}
+                    - uses: docker/login-action@v3

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Docker build (and push to GAR)' step

uses 'docker/login-action' with ref 'v3', not a pinned commit hash

.github/workflows/docker-blacksmith.yml

+                    - name: Extract metadata (tags, labels) for Docker
+                      id: meta
+                      uses: docker/metadata-action@v5

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Docker build (and push to GAR)' step

uses 'docker/metadata-action' with ref 'v5', not a pinned commit hash

.github/workflows/docker-blacksmith.yml

+                          ${{ inputs.tag }}
+                    - name: Build (and push) Docker image
+                      uses: useblacksmith/build-push-action@v2

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Docker build (and push to GAR)' step

uses 'useblacksmith/build-push-action' with ref 'v2', not a pinned commit hash

.github/workflows/docker-blacksmith.yml

+                        ssh: default
+                        # We use Blacksmith's implicit cache
+                    - uses: remerge/action-slack-deploy-pipeline@v2.0.0-remerge

Check warning

Code scanning / CodeQL

Unpinned tag for a non-immutable Action in workflow Medium

Unpinned 3rd party Action 'Docker build (and push to GAR)' step

uses 'remerge/action-slack-deploy-pipeline' with ref 'v2.0.0-remerge', not a pinned commit hash

thekondor changed the title ~~Use blacksmith for docker~~ (not for commit) Use blacksmith for docker

thekondor marked this pull request as draft

October 23, 2025 09:19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CORE