Skip to content

.github: workflows: image-push: remove GHA extraheader token from theimage#58

Merged
kpouget merged 1 commit into
openshift-psap:mainfrom
kpouget:gha
May 12, 2026
Merged

.github: workflows: image-push: remove GHA extraheader token from theimage#58
kpouget merged 1 commit into
openshift-psap:mainfrom
kpouget:gha

Conversation

@kpouget
Copy link
Copy Markdown
Contributor

@kpouget kpouget commented May 12, 2026
edited by coderabbitai Bot
Loading

(short life pull token, not a proper leak)

Summary by CodeRabbit

  • Chores
    • Updated build workflow configuration to enhance credential handling during image building and pushing processes. The workflow now removes authentication credentials from git configuration and uses public URLs for remote operations.

Review Change Stack

@kpouget
.github: workflows: image-push: remove GHA extraheader token from the…
1c9d6e2 
… image

(short life pull token, not a proper leak)
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 12, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sjmonson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 12, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c0312865-b784-428f-a069-7ae7ae2aa8d6

📥 Commits

Reviewing files that changed from the base of the PR and between 3838b87 and 1c9d6e2.

📒 Files selected for processing (1)
  • .github/workflows/image-push.yaml
📝 Walkthrough

Walkthrough

The PR adds a credential cleanup step to the image-push GitHub Actions workflow that removes authenticated git credentials and resets the repository remote to a public URL before building and pushing the Docker image, preventing accidental token leakage in build artifacts.

Changes

Security: Credential Cleanup

Layer / File(s) Summary
Credential cleanup in image-push workflow
.github/workflows/image-push.yaml		 A new workflow step unsets the GitHub extraheader for HTTPS endpoints and rewrites the origin remote URL to an anonymous public repository URL to prevent credential exposure during image build and push operations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A token in the dark, a secret once kept,
Now scrubbed from the config where credentials once slept.
The origin remote, now public and clear,
No secrets escape in the build atmosphere! 🔐

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@kpouget kpouget enabled auto-merge May 12, 2026 20:19
@kpouget kpouget merged commit eaf55b3 into openshift-psap:main May 12, 2026
4 of 5 checks passed
@kpouget kpouget deleted the gha branch May 12, 2026 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kpouget