[rgoldfinger]

The same could be said for any use of docker images. Seems a little unfair to single out Github.

[reilly3000]

That's definitely true, but given the sensitivity of having access to private source and secrets I think its fair to call out a warning.

[ericlewis]

couldn't a malicious docker image also be tooled to dump all of that stuff to an external destination?

[reilly3000]

Absolutely. CI systems tend to get broad access to everything sacred. Giving that level of access to community code is risky in the least.

[ZitchDog]

Totally agreed. However, when do we stop making this mistake? I think it's worth a callout when a large organization designs a dependency management system with such an obvious flaw on the "happy path".

[mleonhard]

It should be possible to import specific docker imager versions into a private repository and use them for production.

With Gitlab.com:

https://docs.gitlab.com/ee/user/packages/container_registry/

https://docs.gitlab.com/ee/ci/docker/README.html