security: fix log/state file permissions, Firebase key on disk, TLS cleanup
- agent_loop.py: create log dir with mode 0700 and enforce it on
existing dirs; open log files with mode 0600; chmod state file
to 0600 after every write. Prevents other local processes from
reading agent output (which may contain credential paths) or
tampering with the state file's pid field.
- ci/main.go (TestAndroidFirebase): replace
echo "$FIREBASE_SA_KEY" > /tmp/key.json
with bash process substitution
--key-file=<(echo "$FIREBASE_SA_KEY")
The key is now passed via a file descriptor — it never touches
disk, so it cannot be stranded by a failed gcloud auth call or
snapshotted into the Dagger layer cache.
- ci.yml / deploy.yml: add "Cleanup TLS credentials" step
(if: always()) at the end of every job that calls
setup_dagger_remote.sh. Removes /tmp/dagger-tls,
/tmp/stunnel-dagger.conf, /tmp/stunnel.pid from the self-hosted
runner after each job, so client certs do not accumulate between
job runs.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Thomas SharedInbox
co-authored by
Claude Sonnet 4.6
Claude Sonnet 4.6
parent
509a0bc954
commit
b6a2f91820
+1
-3
@@ -680,10 +680,8 @@ func (m *Ci) TestAndroidFirebase(
|
||||
WithEnvVariable("FIREBASE_PROJECT_ID", projectID).
|
||||
WithExec([]string{"/bin/bash", "-c",
|
||||
`auth_err=$(mktemp); trap 'rm -f "$auth_err"' EXIT; \
|
||||
echo "$FIREBASE_SA_KEY" > /tmp/key.json; \
|
||||
gcloud auth activate-service-account --key-file=/tmp/key.json 2>"$auth_err" \
|
||||
gcloud auth activate-service-account --key-file=<(echo "$FIREBASE_SA_KEY") 2>"$auth_err" \
|
||||
|| { cat "$auth_err"; exit 1; }; \
|
||||
rm -f /tmp/key.json; \
|
||||
gcloud config set project "$FIREBASE_PROJECT_ID" 2>>"$auth_err" \
|
||||
|| { cat "$auth_err"; exit 1; }; \
|
||||
unknown=$(grep -vF "Activated service account credentials for:" "$auth_err" \
|
||||
|
||||
Reference in New Issue
Block a user