Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
theopolis
03/18/2021, 4:07 AMI should have gone to bed an hour ago, but I got an example
ec2-github-runnerosquery/osquery❤️ 2
a
Ali Saidi
03/18/2021, 1:34 PMnice! does it limit secrets for hosted runners from non-collaborators no matter what?
t
theopolis
03/18/2021, 1:45 PMThat's what I understand from the GitHub documentation.
If you or someone else has a moment, you can test by opening a PR against https://github.com/theopolis/osquery-ci-test and if it's vulnerable to leaking secrets to non-contributors then the EC2 instance will start, otherwise workflow job will fail.
We might be able to get up and running with this by having these workflow jobs run on the main branch and tags.What I mean here is I consider building aarch64 on master to be the MVP for what we need to consider support official. If we implement testing on master then we at least know before we tag a release that aarch64 is working. We'll also have packages built and ready as artifacts for the release process.
And we can find a solution for pull requests in the future.Longer term the Envoy or CB approach is ideal so that we give PRs the confidence they are not breaking aarach64. I proposed the
ec2-github-runnera
Ali Saidi
03/19/2021, 12:58 AMI tried a PR and the start EC2 runner failed because it wasn’t specified which matches what i expected would happen from the above. No access to secrets from PRs