Register: add --token-file flag

At the moment, the only way to pass the secret Gitea token to the runner CLI is directly through a CLI parameter. That's an issue on a multi-user system where the CLI parameters are world-readable through /proc/PID/cmdline. On a Linux system, there's sadly no way to hide the cmdline parameters. We usually go around this limitation by storing the secrets in a file and protect it through tight ACL rules. Adding a way to inject the secret token via a file during the register command. As a nice side-effect, this improves the systemd integration by allowing us to directly use the LoadCredential mechanism.
2025-06-28 01:27:50 +02:00 · 2023-09-25 13:22:26 +02:00
parent d07fbfc8c3
commit c7f39de3a8
2 changed files with 16 additions and 1 deletions
--- a/internal/app/cmd/cmd.go
+++ b/internal/app/cmd/cmd.go
@ -37,6 +37,7 @@ func Execute(ctx context.Context) {
 	registerCmd.Flags().BoolVar(&regArgs.NoInteractive, "no-interactive", false, "Disable interactive mode")
 	registerCmd.Flags().StringVar(&regArgs.InstanceAddr, "instance", "", "Gitea instance address")
 	registerCmd.Flags().StringVar(&regArgs.Token, "token", "", "Runner token")
+	registerCmd.Flags().StringVar(&regArgs.TokenFile, "token-file", "", "Path to a file containing the runner token")
 	registerCmd.Flags().StringVar(&regArgs.RunnerName, "name", "", "Runner name")
 	registerCmd.Flags().StringVar(&regArgs.Labels, "labels", "", "Runner tags, comma separated")
 	rootCmd.AddCommand(registerCmd)