Skip to content

[MOSIP-44447] Secure Docker tokens using dynamic GitHub secrets instead of user input #1583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bhumi46 wants to merge 11 commits into
base: release-1.2.0.1
Choose a base branch
from
Open

[MOSIP-44447] Secure Docker tokens using dynamic GitHub secrets instead of user input #1583

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
bf8e815
[MOSIP-44447]updated to take secret from gh secret
bhumi46 Feb 13, 2026
6f99b66
Image transfer: 2 completed, 00 failed to bn46
github-actions[bot] Feb 13, 2026
d5c3510
Update images.txt
bhumi46 Feb 13, 2026
684567f
Image transfer: 1 completed, 00 failed to bn46
github-actions[bot] Feb 13, 2026
ebe4eb1
[MOSIP-44447] Fix security vulnerabilities in image transfer workflow
bhumi46 Feb 16, 2026
8c44c06
Image transfer: 1 completed, 00 failed to bn46
github-actions[bot] Feb 16, 2026
1afcf18
[MOSIP-44447] Add optional custom secret name input
bhumi46 Feb 16, 2026
d6bd972
Image transfer: 1 completed, 00 failed to bn46
github-actions[bot] Feb 16, 2026
ad2e341
Add validation for DESTINATION_ORGANIZATION in image-transfer workflow
bhumi46 Feb 16, 2026
f43712d
Update images.txt
bhumi46 Feb 16, 2026
e50115f
Image transfer: 2 completed, 00 failed to bn46
github-actions[bot] Feb 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 58 additions & 19 deletions .github/workflows/image-transfer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ on:
required: true
default: ''
type: string
TOKEN:
description: 'provide docker hub token'
SECRET_NAME:
description: 'Custom secret name (optional - defaults to <ORG>_DOCKER_TOKEN)'
required: false
default: ''
type: string
Expand Down Expand Up @@ -43,27 +43,66 @@ jobs:
runs-on: ubuntu-latest
outputs:
TOKEN: ${{ steps.ORG_TOKEN.outputs.TOKEN }}
USERNAME: ${{ steps.ORG_TOKEN.outputs.USERNAME }}
steps:
- name: Check if input TOKEN is empty
if: ${{ inputs.TOKEN == '' }}
- name: Set organization secrets dynamically
id: ORG_TOKEN
env:
DESTINATION_ORGANIZATION: ${{ inputs.DESTINATION_ORGANIZATION }}
CUSTOM_SECRET_NAME: ${{ inputs.SECRET_NAME }}
run: |
if [[ ${{ inputs.DESTINATION_ORGANIZATION }} == mosipqa ]]; then
echo "TOKEN=QA_NAMESPACE_DOCKER_HUB" >> $GITHUB_OUTPUT
echo "USERNAME=DOCKER_USERNAME" >> $GITHUB_OUTPUT
# Check if custom secret name is provided
if [ -n "$CUSTOM_SECRET_NAME" ]; then
# Use custom secret name
TOKEN_SECRET="$CUSTOM_SECRET_NAME"
printf 'Using custom secret name: %s\n' "$TOKEN_SECRET"
else
# Use dynamic naming based on organization
ORG="$DESTINATION_ORGANIZATION"

# Validate DESTINATION_ORGANIZATION before normalization
if [ -z "$ORG" ]; then
printf '❌ ERROR: DESTINATION_ORGANIZATION is empty or not provided\n' >&2
exit 1
fi

# Check for invalid characters (only letters, numbers, and hyphens are allowed)
if ! printf '%s' "$ORG" | grep -qE '^[a-zA-Z0-9-]+$'; then
printf '❌ ERROR: Invalid organization name: "%s"\n' "$ORG" >&2
printf 'Organization name must contain only letters, numbers, and hyphens (no dots, spaces, or other special characters)\n' >&2
exit 1
fi

# Convert organization name to valid secret name (replace hyphens, then uppercase)
# GitHub secret names can only contain [A-Z0-9_]
ORG_NORMALIZED=$(printf '%s' "$ORG" | tr '-' '_' | tr '[:lower:]' '[:upper:]')

# Dynamically construct secret name based on organization
TOKEN_SECRET="${ORG_NORMALIZED}_DOCKER_TOKEN"
printf 'Using dynamic secret name: %s\n' "$TOKEN_SECRET"
fi
if [[ ${{ inputs.DESTINATION_ORGANIZATION }} == mosipint ]]; then
echo "TOKEN=INT_NAMESPACE_DOCKER_HUB" >> $GITHUB_OUTPUT
echo "USERNAME=DOCKER_USERNAME" >> $GITHUB_OUTPUT
fi
- name: Print Secret Name

printf 'TOKEN=%s\n' "$TOKEN_SECRET" >> "$GITHUB_OUTPUT"

- name: Validate secret configuration
env:
TOKEN_EXISTS: ${{ secrets[steps.ORG_TOKEN.outputs.TOKEN] != '' }}
SECRET_NAME: ${{ steps.ORG_TOKEN.outputs.TOKEN }}
DESTINATION_ORGANIZATION: ${{ inputs.DESTINATION_ORGANIZATION }}
run: |
echo "ORGANIZATION NAME : ${{ inputs.DESTINATION_ORGANIZATION }} "
echo "SECRET NAME : ${{ steps.ORG_TOKEN.outputs.TOKEN }}"
echo "USERNAME : ${{ steps.ORG_TOKEN.outputs.USERNAME }}"
echo "REGISTRY URL : ${{ inputs.REGISTRY_URL }}"

if [ "$TOKEN_EXISTS" != "true" ]; then
printf '❌ ERROR: Secret '\''%s'\'' is not configured or is empty\n' "$SECRET_NAME"
printf '\n'
printf 'Please configure the following secret in GitHub repository settings:\n'
printf ' Secret name: %s\n' "$SECRET_NAME"
printf ' Path: Settings → Secrets and variables → Actions → New repository secret\n'
printf '\n'
printf 'For organization '\''%s'\'', you need:\n' "$DESTINATION_ORGANIZATION"
printf ' - Secret: %s\n' "$SECRET_NAME"
printf ' - Value: Your Docker registry token/password\n'
exit 1
fi

printf '✅ Secret '\''%s'\'' is configured\n' "$SECRET_NAME"
Image-transfer:
needs: chk_token
uses: mosip/kattu/.github/workflows/image-transfer.yml@master
Expand All @@ -74,6 +113,6 @@ jobs:
ENABLE_WIREGUARD: ${{ inputs.ENABLE_WIREGUARD }}
USERNAME: ${{ inputs.USERNAME }}
secrets:
TOKEN: "${{ secrets[needs.chk_token.outputs.TOKEN] || inputs.TOKEN }}"
TOKEN: "${{ secrets[needs.chk_token.outputs.TOKEN] }}"
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_DEVOPS }}
WIREGUARD_CONFIG: ${{ secrets.WIREGUARD_CONFIG }}
49 changes: 43 additions & 6 deletions release/vidivi/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,19 +192,49 @@ Execute the [Manual workflow to transfer images](https://github.com/mosip/releas
| Input | Description | Required | Default | Example |
|-------|-------------|----------|---------|---------|
| `USERNAME` | Registry username | Yes | - | `robot$mosipdev+release-bot` (Harbor)<br>`myusername` (Docker Hub) |
| `TOKEN` | Registry token/password | Yes (secret) | - | Robot account token or personal access token |
| `DESTINATION_ORGANIZATION` | Destination org/project | Yes | - | `mosipid`, `library`, `myproject` |
| `DESTINATION_ORGANIZATION` | Destination org/project | Yes | - | `mosipid`, `mosipqa`, `myproject` |
| `REGISTRY_URL` | Destination registry URL | Yes | `https://index.docker.io/v1/` | `https://harbor.example.com` |
| `REGISTRY_TYPE` | Registry type | Yes | `dockerhub` | `dockerhub`, `harbor`, `other` |
| `ENABLE_WIREGUARD` | Enable VPN for private networks | No | `false` | `true` or `false` |

### Workflow Secrets

Configure these in GitHub repository settings → Secrets:
Configure these GitHub secrets dynamically based on your destination organization:

- `TOKEN`: Registry authentication token
- `SLACK_WEBHOOK_URL`: Slack notification webhook
- `WIREGUARD_CONFIG`: (Optional) WireGuard VPN configuration for private registries
**Secret Naming Convention:**
- Token: `<ORGANIZATION_NAME>_DOCKER_TOKEN`
- Organization names are normalized: hyphens converted to underscores, then uppercased
- GitHub secret names can only contain `[A-Z0-9_]`

**Examples:**
- `mosipqa` → `MOSIPQA_DOCKER_TOKEN`
- `mosipdev` → `MOSIPDEV_DOCKER_TOKEN`
- `acmecorp` → `ACMECORP_DOCKER_TOKEN`
- `my-org` → `MY_ORG_DOCKER_TOKEN` (hyphen → underscore)
- `test-dev-env` → `TEST_DEV_ENV_DOCKER_TOKEN` (all hyphens → underscores)

**Required Secrets:**
1. **`<ORG>_DOCKER_TOKEN`**: Registry authentication token for the specific organization
- Docker Hub: Personal Access Token or Account Password
- Harbor: Robot account token
- Other registries: Appropriate authentication token

2. **`SLACK_WEBHOOK_DEVOPS`**: Slack notification webhook (shared across all workflows)

3. **`WIREGUARD_CONFIG`**: (Optional) WireGuard VPN configuration for private registries

**How to Add Secrets:**
1. Go to GitHub repository → Settings → Secrets and variables → Actions
2. Click "New repository secret"
3. Add secrets following the naming convention above
4. For organization `myorg`, create: `MYORG_DOCKER_TOKEN`
5. For organization `my-org`, create: `MY_ORG_DOCKER_TOKEN` (hyphens become underscores)

**Security Benefits:**
- Tokens are never exposed in workflow logs
- Each organization has isolated credentials
- No hardcoded credentials in workflow files
- Automatic secret selection based on destination organization

### Running the Workflow

Expand All @@ -221,6 +251,13 @@ Configure these in GitHub repository settings → Secrets:
```
5. Click "Run workflow"

**Note:** The workflow automatically selects the correct token secret based on the `DESTINATION_ORGANIZATION` input:
- Organization `mosipqa` uses secret `MOSIPQA_DOCKER_TOKEN`
- Organization `mosipdev` uses secret `MOSIPDEV_DOCKER_TOKEN`
- Organization `acmecorp` uses secret `ACMECORP_DOCKER_TOKEN`
- Organization `my-org` uses secret `MY_ORG_DOCKER_TOKEN` (hyphens converted to underscores)
- Organization names are normalized: hyphens → underscores, then uppercased

### Workflow Features

✅ **Automated Verification**: Checks source image existence before transfer
Expand Down
Loading