1

We want to use GitHub Actions for CI. The Dockerfile we are using behind our corporate FW involves COPYing our certificate and updating ca-certificates.
That means I need to add the corporate certificate in the git repo for CI purposes.

That bothers me not so much in terms of security (it's a public key) but rather because I figure if every organization did that too the code could be cluttered by useless stuff.

I'm thinking of getting rid of all stuff RE certificates in the public repo and tell people to edit the Dockerfile should they need to build images behind the FW.
How do people go about that?

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
Yves Moisan
  • 21
  • 3

1 Answers1

0

I would keep:

  • the CA in an external source
  • the Dockerfile generic (in that it would not need to be edited

The idea would be, for instance, to set the certificate in an environment variable, used then in the Dockerfile during docker build.
A wrapper script 'build' (versioned in the same repository) would:

  • check if the environment variable is set (and exit while complaining if not set)
  • call docker build.

Any user cloning the repository, and calling 'build' would discover the local requirement, even if they never read the README.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250