deploy-cloudrun icon indicating copy to clipboard operation
deploy-cloudrun copied to clipboard

Published 20 hours ago verified publisher icon google-github-actions

Project inference security risk

Open steveoh opened this issue 3 years ago • 0 comments

The following valid action invocation poses a security risk

- name: 🚀 Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v0
        with:
          service: api
          image: gcr.io/${{ secrets.PROJECT_ID }}/api
          region: us-central1
          secrets: |
            /secrets/secrets.json=secrets:latest

from @sethvargo

[Inferring the project id] poses a security risk..., because the project ID would be interpreted as your project (instead of explicitly opting into that behavior).

Cloud functions does not allow this behavior and cloud run should be consistent with its api especially if it poses a security risk.

Originally posted by @sethvargo in https://github.com/google-github-actions/deploy-cloud-functions/issues/318#issuecomment-1110310192

steveoh avatar Apr 26 '22 23:04 steveoh