hail
hail copied to clipboard
[batch] Mount job secrets as read-only
These should never have been read-write. Caught this because a CI job I was modifying overwrote /gsa-key/key.json
with /test-gsa-key/key.json
which caused the Output step to use the test credentials instead of CI credentials.
I also removed an overriding definition of secret_host_path
in JVMJob
. I don't see why it should be different than what's defined in Job
and using host_path
seems quite dangerous.
Added a test that we can't mv
a secret path and updated some existing tests that assumed we can overwrite secrets.
TODO: Update build.yaml
to not mv
any secrets or PRs will fail when this joins the mainline.