From 0a52d00393b25301a54532f90611c645f123302f Mon Sep 17 00:00:00 2001
From: Eric Engestrom <eric@igalia.com>
Date: Mon, 19 May 2025 11:56:34 +0200
Subject: [PATCH] ci: clear S3_JWT_FILE_SCRIPT as it also contains the S3_JWT
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This whole thing of dumping the env var in a file and unsetting it so
that it wouldn't be visible in an env dump anymore?  Yeah, we kinda
failed here 😅

Note: setting it to an empty string instead of unsetting it allows for
redundant `eval "$S3_JWT_FILE_SCRIPT"` calls without failing over an
unset variable.

Reported-by: @alatiera
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/35050>
---
 .gitlab-ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 022895ded47..fe07889fc34 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -87,6 +87,7 @@ variables:
   S3_JWT_FILE: /s3_jwt
   S3_JWT_FILE_SCRIPT: |-
       echo -n '${S3_JWT}' > '${S3_JWT_FILE}' &&
+      S3_JWT_FILE_SCRIPT= &&
       unset CI_JOB_JWT S3_JWT  # Unsetting vulnerable env variables
   S3_HOST: s3.freedesktop.org
   # This bucket is used to fetch ANDROID prebuilts and images