From cc0c655e5fcbc7665b3913c30eb3c9de3e7abfa9 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Mon, 20 Mar 2023 20:04:21 -0700 Subject: [PATCH] Revert "Use --password-stdin for upload-container-image" This reverts commit 345c839db64f6ee1566fda07b6a706ee8ff7f0d9. This is simpler, and we don't have to worry about the tempfile write accidentally exposing secrets. This is similar to the way we log in in the promote job. Change-Id: I2a0f34e0ea3abe88fe9f26d12298baf68f1a6b2d --- roles/upload-container-image/tasks/push.yaml | 20 ++------------------ 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/roles/upload-container-image/tasks/push.yaml b/roles/upload-container-image/tasks/push.yaml index f63eb069f..fb3156ddc 100644 --- a/roles/upload-container-image/tasks/push.yaml +++ b/roles/upload-container-image/tasks/push.yaml @@ -1,22 +1,6 @@ -- name: Create tempfile for password - tempfile: - state: file - register: _password_tmp - -- name: Populate tempfile - copy: - content: "{{ container_registry_credentials[zj_image.registry].password }}" - dest: "{{ _password_tmp.path }}" - mode: 0600 - - name: Log in to registry - block: - - name: Log in to registry - shell: "cat {{ _password_tmp.path }} | {{ container_command }} login -u {{ container_registry_credentials[zj_image.registry].username }} --password-stdin {{ zj_image.registry }}" - - always: - - name: Remove password from disk - command: "shred {{ _password_tmp.path }}" + command: "{{ container_command }} login -u {{ container_registry_credentials[zj_image.registry].username }} -p {{ container_registry_credentials[zj_image.registry].password }} {{ zj_image.registry }}" + no_log: true - name: Publish images block: