Your setup isn't actually secure. The jenkins user can replace the script with anything of their chosing, because they have write access to the containing directory.
Also your script is missing a #!, and set -x
will echo every line in a bash script so you don't have to.
Thank you for the feedback! I updated the blog post with your suggestions. The script is now safely stored in /opt
which is owned by root
so the jenkins
user cannot modify it or swap it out. Additionally I updated the script to use set -x
instead of duplicating the commands for echoing.
If anyone out there is curious about seeing my workflow to make and test this change, I did a screen recording: