Building packages on GitHub — a security risk?
by Christian Wolf
The usage of GitHub features like the CI pipeline is handy to automate stuff. This allows developers (especially spare-time app developers with very restricted time schedules) to focus on the important parts and not worry too much about the formal processes.
When using the official Nextcloud organization for storing your code, it might look tempting to use the GitHub workflow as well to publish releases on the Nextcloud App store. There are even basic workflow files in the Nextcloud GitHub organization to automate the deployment process. However, this implies a certain security risk if the credentials are stored as secrets in the repository inside the Nextcloud organization.
This talk will not show a way to extract a token from a repository. Instead, it shows the general problem and why using the Nextcloud organization as a roof for deploying apps is sub-optimal. A better solution is suggested based on the approach done by the Nextcloud company and its core developers.
—
See more ⚡ lightning talks from the Nextcloud Community Conference 2024:
#Nextcloud #NextcloudConf2024 #LightningTalk
