The julia_pod
tool (versions < v0.4.0) included an optional feature to store a user’s GitHub Personal Access Token (PAT) as a Kubernetes (K8s) secret, allowing you to add private packages from within an interactive K8s pod.
While useful in contexts where the PAT has limited scope and the target K8s namespace is secure, we’ve decided that this feature could be a security risk for unsuspecting users who might accidentally leverage this feature in insecure contexts, as it renders the user’s PAT accessible to any other entity with access to the namespace. In a worst case scenario, a malicious actor with access to a leaked PAT could impersonate that PAT’s associated user via the GitHub API.
As such, we’ve decided to remove this particular feature from julia_pod
v0.4.0 entirely. Any julia_pod
users which have used the GITHUB_TOKEN_FILE
option in a shared K8s namespace can, as a precaution, rotate any used GitHub PATs by going to https://github.com/settings/tokens.
Going forward, julia_pod
will only use the GITHUB_TOKEN_FILE
to allow adding private Julia packages during building of Docker images. Interactively adding Julia packages will prompt you to manually enter your credentials. Please note that julia_pod
makes use of Docker BuildKit secrets to ensure that PATs are not baked into any Docker image layers.