Secret and Artifact Leakage Test #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secret and Artifact Leakage Test | |
| on: | |
| workflow_dispatch: # 手动触发 | |
| jobs: | |
| test: | |
| runs-on: self-hosted | |
| steps: | |
| # 1. 检出代码仓库 | |
| - name: Checkout Repository | |
| uses: actions/checkout@v2 | |
| # 2. 缓存 Node.js 依赖(如果有 package-lock.json) | |
| - name: Cache Node modules | |
| uses: actions/cache@v4 | |
| with: | |
| path: node_modules | |
| key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }} | |
| # 3. 设置 Node.js 环境 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v2 | |
| with: | |
| node-version: '14' | |
| # 4. 安装 npm 依赖(如果 package.json 存在) | |
| - name: Install npm dependencies | |
| run: | | |
| if [ -f package.json ]; then | |
| npm install | |
| else | |
| echo "No package.json found. Skipping npm install." | |
| fi | |
| # 5. 安全使用 Secret:通过环境变量引用 | |
| - name: Safe Secret Usage (Env Variable) | |
| env: | |
| DB_PASSWORD: ${{ secrets.DB_PASSWORD }} | |
| run: | | |
| echo "Safe usage: DB_PASSWORD is $DB_PASSWORD" | |
| # GitHub 会自动将 DB_PASSWORD 的值屏蔽为 *** | |
| # 6. 不安全使用 Secret:直接作为参数传递 | |
| - name: Unsafe Secret Usage (Inline) | |
| run: echo "Unsafe usage-- DB_PASSWORD is ${{ secrets.DB_PASSWORD }}" | |
| # 此方式风险较高,部分 CLI 工具可能将完整值输出到日志中 | |
| # 7. 将 Secret 写入文件(模拟 Artifact 中泄露敏感信息) | |
| - name: Write Secret to File | |
| run: echo "Secret in file-- ${{ secrets.DB_PASSWORD }}" > secret.txt | |
| # 8. 上传包含 Secret 的文件作为 Artifact | |
| - name: Upload Secret File Artifact | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: secret-artifact | |
| path: secret.txt | |
| # 9. 缓存 pip 依赖(如果有 requirements.txt) | |
| - name: Cache pip packages | |
| uses: actions/cache@v2 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }} | |
| # 10. 设置 Python 环境 | |
| - name: Setup Python | |
| uses: actions/setup-python@v2 | |
| with: | |
| python-version: '3.8' | |
| # 11. 安装 pip 依赖(如果 requirements.txt 存在) | |
| - name: Install pip dependencies | |
| run: | | |
| if [ -f requirements.txt ]; then | |
| pip install -r requirements.txt | |
| else | |
| echo "No requirements.txt found. Skipping pip install." | |
| fi | |
| # 12. Docker 构建:构建当前目录下的 Docker 镜像 | |
| - name: Build Docker Image | |
| run: | | |
| if [ -f Dockerfile ]; then | |
| docker build -t secret-tester:latest . | |
| else | |
| echo "No Dockerfile found. Skipping Docker build." | |
| fi | |
| # 13. 将构建的 Docker 镜像保存为 tar 包 | |
| - name: Save Docker Image to Tarball | |
| run: | | |
| if docker image inspect secret-tester:latest > /dev/null 2>&1; then | |
| docker save secret-tester:latest -o secret-tester.tar | |
| else | |
| echo "Docker image not built. Skipping save." | |
| fi | |
| # 14. 上传 Docker 镜像 tar 包作为 Artifact(可选) | |
| - name: Upload Docker Image Artifact | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: docker-image-artifact | |
| path: secret-tester.tar | |
| # 15. 推送 Docker 镜像到 GitHub Container Registry (GHCR) | |
| - name: Push Docker Image to GHCR | |
| env: | |
| # 需在仓库 Secrets 中设置 CR_PAT (GitHub Personal Access Token) | |
| CR_PAT: ${{ secrets.CR_PAT }} | |
| run: | | |
| # 登录到 GHCR,使用 GitHub 用户名和 PAT | |
| echo $CR_PAT | docker login ghcr.io -u ${{ github.actor }} --password-stdin | |
| # 输出当前镜像列表(调试用) | |
| docker images | |
| # 标记镜像为 GHCR 格式(格式:ghcr.io/用户名/镜像名:标签) | |
| docker tag secret-tester:latest ghcr.io/${{ github.repository_owner }}/secret-tester:latest | |
| # 再次输出镜像信息以确认标签更改 | |
| docker images | |
| # 推送镜像 | |
| docker push ghcr.io/${{ github.repository_owner }}/secret-tester:latest |