You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 3, 2023. It is now read-only.
In its current form, there is a potential issue where a bad actor can update the code used to generate a pipeline but the drone.yml does not update. That code could do something bad like expose secrets.
Drone gets around this typically by including a cryptographic signature in the bottom that is derived from the contents of the .drone.yml file. If the signature doesn't match the file, then it will not run the build until it is signed by a trusted user or the build is approved.
If we include data in the file that changes depending on the contents of the pipeline (we could possibly use the compiled pipeline?), we can leverage Drone's "protected repositories" features.
The text was updated successfully, but these errors were encountered:
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In its current form, there is a potential issue where a bad actor can update the code used to generate a pipeline but the drone.yml does not update. That code could do something bad like expose secrets.
Drone gets around this typically by including a cryptographic signature in the bottom that is derived from the contents of the
.drone.yml
file. If the signature doesn't match the file, then it will not run the build until it is signed by a trusted user or the build is approved.If we include data in the file that changes depending on the contents of the pipeline (we could possibly use the compiled pipeline?), we can leverage Drone's "protected repositories" features.
The text was updated successfully, but these errors were encountered: