Code security with the Publishing Docker images example

[Kelso-stryd]

Select Topic Area

Question

Body

I have a few concerns about the example for publishing a docker example and I'm wondering if they are merited.

See https://docs.github.com/en/actions/tutorials/publish-packages/publish-docker-images for reference.

The example

1. uses a 3rd party black box action instead of calling the one-liner echo <secret> | docker login <host> -u <actor> --password-stdin
2. logs into docker's registry instead of githubs own, calling into question 3rd party terms of service
3. does not logout after logging in
4. does not ensure logout occurs on a failure

I'm wondering if in addition to 1 and 2, steps 3 and 4 are leaving the runner in a state where a malicious actor can spoof the creation of the image under someone else's name.

Notably, logout is supported by the action:
https://github.com/docker/login-action?tab=readme-ov-file#github-container-registry

[ZERO-DAV]

Concerns 1 and 2 are valid. Concerns 3 and 4 are not an issue on GitHub-hosted runners.

GitHub-hosted runners are ephemeral. Each job runs in a clean environment and is destroyed afterward, so any Docker login session is automatically removed. Not logging out does not create a realistic risk of credential reuse or spoofing.

This only becomes a real concern with self-hosted runners, where the environment persists and credentials could remain on disk. In that case, logout and cleanup are required.

Bottom line: no practical security risk here in the default GitHub setup.

[Kelso-stryd]

Adding https://github.com/orgs/community/discussions/26826 for context. This response is consistent with that discussion, so I'm tagging this comment as the answer.

[ashraflx71]

As

[Kelso-stryd]

?