To securely manage which global files a container can modify, an allowlist will be introduced and stored in a new, hand-edited configuration file.
- The command contract for configure and release supports a write-only
/output directory mount for the container to write updated global files.
- A new
config.yaml file is created in the .librarian directory for repository-specific, hand-edited settings.
- Librarian can parse a
global_files_allowlist from this file, specifying file paths and permissions (read-write, read-only, write-only).
- A read-only input mount (
/repo) is provided to the container with the contents of global files declared for reading in the allowlist.
- New or updated global files are copied from the container's
/output directory back into the repository.
- Only files explicitly allowlisted for writing are copied into the repository.
Example config.yaml:
# .librarian/config.yaml
global_files_allowlist:
# Allow the container to read and write the root go.work file
# during the 'configure' step to add new modules.
- path: "go.work"
permissions: "read-write"
# Allow the container to read a template.
- path: "internal/README.md.template"
permissions: "read-only"
# Allow publishing the updated root README.md
- path: "README.md"
permissions: "write-only"See: go/librarian:global-file-edits
To securely manage which global files a container can modify, an allowlist will be introduced and stored in a new, hand-edited configuration file.
/outputdirectory mount for the container to write updated global files.config.yamlfile is created in the.librariandirectory for repository-specific, hand-edited settings.global_files_allowlistfrom this file, specifying file paths and permissions (read-write,read-only,write-only)./repo) is provided to the container with the contents of global files declared for reading in the allowlist./outputdirectory back into the repository.Example
config.yaml:See: go/librarian:global-file-edits