feat: add --trust CLI and remote.trust config for remote tasks #2491
Conversation
Signed-off-by: Maciej Lech <[email protected]>
|
Looking forward to this feature! |
| // Extract host from server URL for trust testing | ||
| parsedURL, err := url.Parse(srv.URL) | ||
| require.NoError(t, err) | ||
| trustedHost := parsedURL.Host |
There was a problem hiding this comment.
Can't I trust URLs? I trust github.com/myself but I don't trust github.com/shady.
There was a problem hiding this comment.
I was thinking about that, but using URLs requires more assumptions how to compare provided URL with the trust config.
- Exact match, so full URL comparison. In my case it would require configuring every single remote taskfiles (more than dozen now) which is not a big deal, but may not be a best DX.
- Prefix match. A problem: I want to trust
https://github.com/myselfbut nothttps://github.com/myselfHackedByShady- which could be easily solved by settinghttps://github.com/myself/and nothttps://github.com/myself. So maybe this is the best way. - Glob-like style:
https://github.com/myself/*or extended versionhttps://github.com/myself/**/* - Regex:
https:\/\/github\.com\/myself\/.*
vmaerten
left a comment
vmaerten
left a comment
There was a problem hiding this comment.
Thanks for your PR!
I would prefer using trusted-hosts instead of trust (both in the CLI and in the config file).
- It's more explicit, even if it's longer
- Tools like pip already use this flag (see: https://pip.pypa.io/en/stable/cli/pip/#cmdoption-trusted-host)
- Using the CLI with comma-separated values (
--trusted-hosts a.com,b.com) avoids repeating the flag name
Thank you for your feedback. Yes, I stumbled across PIP when I was searching for similar implementations. Although, |
vmaerten
left a comment
vmaerten
left a comment
There was a problem hiding this comment.
I fixed an anchor was not good anymore
LGTM! Thanks for your PR!
4 participants
This PR implements the feature discussed in #2473.
It introduces a new --trust CLI flag and a corresponding remote.trust configuration option in taskrc. These options are available when the Remote Taskfiles experiment is enabled.
The --trust flag can be specified multiple times to define trusted hosts (optionally including ports). Any remote Taskfiles fetched from these trusted hosts will not prompt for confirmation on their initial download or when their checksums change.
Closes #2473