ci/container: remove S3_JWT_FILE when container_job_trampoline.sh exits

The running container jobs scripts S3_JWT_FILE needs to be removed on exit because the resulting image is committed and we don't want the auth token to leak permanently in the fs. Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/31093>
2024-12-19 20:17:31 +01:00
parent 88dfda7f0a
commit 669b7f881d
2 changed files with 3 additions and 1 deletions
--- a/.gitlab-ci/container/container_job_trampoline.sh
+++ b/.gitlab-ci/container/container_job_trampoline.sh
@@ -19,4 +19,6 @@ CONTAINER_CI_JOB_NAME="$1"
 eval "$S3_JWT_FILE_SCRIPT"
 unset S3_JWT_FILE_SCRIPT

+trap 'rm -f ${S3_JWT_FILE}' EXIT INT TERM
+
 bash ".gitlab-ci/container/${CONTAINER_CI_JOB_NAME}.sh"
--- a/.gitlab-ci/image-tags.yml
+++ b/.gitlab-ci/image-tags.yml
@@ -16,7 +16,7 @@ variables:
   DEBIAN_BASE_TAG: "20241125-crosvm"

   DEBIAN_X86_64_BUILD_IMAGE_PATH: "debian/x86_64_build"
-   DEBIAN_BUILD_TAG: "20241219-android"
+   DEBIAN_BUILD_TAG: "20241219-rm-jwt_file"

   DEBIAN_X86_64_TEST_BASE_IMAGE: "debian/x86_64_test-base"
   DEBIAN_ARM64_TEST_BASE_IMAGE: "debian/arm64_test-base"