-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: recommend base64-subjects-as-file for masked outputs issue #2434
docs: recommend base64-subjects-as-file for masked outputs issue #2434
Conversation
internal/builders/generic/README.md
Outdated
@@ -98,7 +98,7 @@ provenance: | |||
base64-subjects: "${{ needs.build.outputs.hashes }}" | |||
``` | |||
|
|||
The `base64-subjects` input has a maximum length as defined by [ARG_MAX](https://www.in-ulm.de/~mascheck/various/argmax/) on the runner. If you need to attest to a large number of files that exceeds the maximum length, use the `base64-subjects-as-file` input option instead. This option requires that you save the ouput of the sha256sum command into a file: | |||
The `base64-subjects` input has a maximum length as defined by [ARG_MAX](https://www.in-ulm.de/~mascheck/various/argmax/) on the runner. If you need to attest to a large number of files that exceeds the maximum length, use the `base64-subjects-as-file` input option instead. Another usecase for this option is when GitHub Actions runner masks the job output because it detects a secret (see the discussion [here](https:/orgs/community/discussions/37942)). This option requires that you save the output of the sha256sum command into a file: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The `base64-subjects` input has a maximum length as defined by [ARG_MAX](https://www.in-ulm.de/~mascheck/various/argmax/) on the runner. If you need to attest to a large number of files that exceeds the maximum length, use the `base64-subjects-as-file` input option instead. Another usecase for this option is when GitHub Actions runner masks the job output because it detects a secret (see the discussion [here](https:/orgs/community/discussions/37942)). This option requires that you save the output of the sha256sum command into a file: | |
The `base64-subjects` input has a maximum length as defined by [ARG_MAX](https://www.in-ulm.de/~mascheck/various/argmax/) on the runner. If you need to attest to a large number of files that exceeds the maximum length, use the `base64-subjects-as-file` input option instead. Another use case for this option is when GitHub Actions runner masks the job output because it detects a secret (see the discussion [here](https:/orgs/community/discussions/37942)). This option requires that you save the output of the sha256sum command into a file: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we could also add an entry to the "Known Issues" section for issue masking that recommends this solution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added in commit 4eacceb.
3c5f5c9
to
4eacceb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @behnazh-w !
Can you rebase? |
The GitHub Actions runner sometimes masks the job output if it potentially contains an accessible secret. The new `base64-subjects-as-file` feature can be recommended to pass the artifact hashes using an existing file and bypass the job output masking issue. See this discussion: https:/orgs/community/discussions/37942 Signed-off-by: behnazh-w <[email protected]>
Head branch was pushed to by a user without write access
0a6508c
to
37e70c2
Compare
…a-framework#2434) The GitHub Actions runner sometimes masks the job output if it potentially contains an accessible secret. The new `base64-subjects-as-file` feature can be recommended to pass the artifact hashes using an existing file and bypass the job output masking issue. See this discussion: https:/orgs/community/discussions/37942 Signed-off-by: behnazh-w <[email protected]> Signed-off-by: Noah Elzner <[email protected]>
The GitHub Actions runner sometimes masks the job output if it potentially contains an accessible secret. The new
base64-subjects-as-file
feature can be recommended to pass the artifact hashes using an existing file and bypass the job output masking issue.See this discussion: https:/orgs/community/discussions/37942