-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document different users for ci and eco part #66
Comments
For what scenario is this idea? For Github it does not make any real sense I would argue as the execution environment must be able to read the Github ENV vars ... I foresee this a very niche and hacky implementation. For an on-premise case I do not quite understand the need here. Us implementing something that could be seen as "secure" is still a case of trust that is likely not perfect. Final question: Am I missing a case or missing something else? |
This is due to me asking if there was a way around having an external tool in a pipeline with root access. That's how we're currently running it and it's foreseeable that this will be a problem once we're in a real customer environment. (Gitlab, AWS) |
Currently we don't really state which user has to run eco-ci as we always assumed that we would run as the user of the ci job. This implies that the ci runner could access the code of the ci run which could pose a potential security risk if the ci runner is compromised on our end. We could harden this by creating a new user that has no access to the ci data but can only read the cpu utilisation and then report on this. There is nothing really stopping eco-ci from working like this we just need to document how this can be done and maybe write a little script.
Request came from Anita
The text was updated successfully, but these errors were encountered: