Describe the problem
PR #949 added a -password-stdin option to the repo command so a password could be entered using the IRIS secure shell mode and prevent log leak/over the shoulder peering. However, this flow is more suited for an actual user than CI.
Describe the solution
It would be nice to also offer the ability to pull the password from an environment variable, e.g. something like repo -o -name myrepo -url https://registry.example.com -username my_username -password-env MY_REGISTRY_PASSWORD where MY_REGISTRY_PASSWORD is the name of the environment variable holding the password. This way the password remains hidden from the shell/log peekers. This would also make config easier in CI/CD. An analogous -token-env could also be nice.
Additional context
Should also update the warning when using -password that both -password-stdin and password-env are available.
Describe the problem
PR #949 added a
-password-stdinoption to therepocommand so a password could be entered using the IRIS secure shell mode and prevent log leak/over the shoulder peering. However, this flow is more suited for an actual user than CI.Describe the solution
It would be nice to also offer the ability to pull the password from an environment variable, e.g. something like
repo -o -name myrepo -url https://registry.example.com -username my_username -password-env MY_REGISTRY_PASSWORDwhere MY_REGISTRY_PASSWORD is the name of the environment variable holding the password. This way the password remains hidden from the shell/log peekers. This would also make config easier in CI/CD. An analogous-token-envcould also be nice.Additional context
Should also update the warning when using
-passwordthat both-password-stdinandpassword-envare available.