Skip to content

[CI][Security] ROCM-26573: Move secrets from argv to env variables#3113

Open
vkallesh wants to merge 1 commit into
amd-stagingfrom
amd/dev/vkallesh/ROCM-26573-secrets-handling
Open

[CI][Security] ROCM-26573: Move secrets from argv to env variables#3113
vkallesh wants to merge 1 commit into
amd-stagingfrom
amd/dev/vkallesh/ROCM-26573-secrets-handling

Conversation

@vkallesh

Copy link
Copy Markdown
Collaborator

Fix for https://amd-hub.atlassian.net/browse/ROCM-26573 - Plaintext HTTP Auth Token Transmission and Secrets Exposed on Process argv

Issue: buildbot-psdb-trigger.yml and compute-rocm-dkmd-afar-trigger.yml
pass secrets directly on the shell command line (argv), making them
visible to any process that can read /proc/<pid>/cmdline or tools like
ps, top, htop. Additionally, Buildbot API calls used HTTP instead of
HTTPS, exposing credentials to network observers.

Impact: Secrets (BUILDBOT_USER, BUILDBOT_PWD, CI_JENKINS_TOKEN) are
visible in process listings, shell history, and system monitoring tools.
HTTP transmission allows MITM attacks and credential interception.

Fix:
1. Move all secrets from argv to env: blocks
2. Pass secrets to docker containers via -e flags
3. Access secrets via $ENV_VAR in shell, os.environ in Python
4. Change all Buildbot HTTP URLs to HTTPS (lines 86, 93)
5. Remove echo of BUILDBOT_HOST:PORT (information disclosure)

Files modified:
- .github/workflows/buildbot-psdb-trigger.yml
  * Moved BUILDBOT_USER, BUILDBOT_PWD, BUILDBOT_HOST, BUILDBOT_WORKER_PORT to env:
  * Changed http:// to https:// for Buildbot API calls * Removed echo of secrets

- .github/workflows/compute-rocm-dkmd-afar-trigger.yml
   * Moved CI_JENKINS_USER, ROCM_JENKINS_CI_TOKEN to env: 
   * Access via os.environ[] instead of workflow substitution

…ables

    Fix for ROCM-26573 - Plaintext HTTP Auth Token Transmission and Secrets
    Exposed on Process argv

    Issue: buildbot-psdb-trigger.yml and compute-rocm-dkmd-afar-trigger.yml
    pass secrets directly on the shell command line (argv), making them
    visible to any process that can read /proc/<pid>/cmdline or tools like
    ps, top, htop. Additionally, Buildbot API calls used HTTP instead of
    HTTPS, exposing credentials to network observers.

    Impact: Secrets (BUILDBOT_USER, BUILDBOT_PWD, CI_JENKINS_TOKEN) are
    visible in process listings, shell history, and system monitoring tools.
    HTTP transmission allows MITM attacks and credential interception.

    Fix:
    1. Move all secrets from argv to env: blocks
    2. Pass secrets to docker containers via -e flags
    3. Access secrets via $ENV_VAR in shell, os.environ in Python
    4. Change all Buildbot HTTP URLs to HTTPS (lines 86, 93)
    5. Remove echo of BUILDBOT_HOST:PORT (information disclosure)

    Files modified:
    - .github/workflows/buildbot-psdb-trigger.yml
      * Moved BUILDBOT_USER, BUILDBOT_PWD, BUILDBOT_HOST, BUILDBOT_WORKER_PORT to env:
      * Changed http:// to https:// for Buildbot API calls
      * Removed echo of secrets

    - .github/workflows/compute-rocm-dkmd-afar-trigger.yml
      * Moved CI_JENKINS_USER, ROCM_JENKINS_CI_TOKEN to env:
      * Access via os.environ[] instead of workflow substitution
@vkallesh vkallesh requested a review from skganesan008 June 29, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant