chore(oci): add security warning for insecure OCI registry connections

l-qing · l-qing · commit 590d65ddbef2 · 2025-08-20T22:28:39.000+08:00
Add warning log when using insecure OCI registry configuration to alert
users about potential security risks. This helps ensure the feature is
only used in appropriate testing/development environments.
diff --git a/pkg/chains/storage/oci/legacy.go b/pkg/chains/storage/oci/legacy.go
@@ -124,6 +124,8 @@ func (b *Backend) buildRemoteOptions(ctx context.Context, obj objects.TektonObje
 	}
 	opts = append(opts, auth)
 	if b.cfg.Storage.OCI.Insecure {
+		logger := logging.FromContext(ctx)
+		logger.Warn("Using insecure OCI registry connection. This skips TLS certificate verification and poses security risks. Only use this in testing or development environments.")
 		// InsecureSkipVerify is used only when explicitly configured for testing or development environments
 		// This is controlled by the user through configuration and should not be used in production
 		opts = append(opts, remote.WithTransport(&http.Transport{

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,8 @@ func (b *Backend) buildRemoteOptions(ctx context.Context, obj objects.TektonObje`
`124`	`124`	`}`
`125`	`125`	`opts = append(opts, auth)`
`126`	`126`	`if b.cfg.Storage.OCI.Insecure {`
	`127`	`+ logger := logging.FromContext(ctx)`
	`128`	`+ logger.Warn("Using insecure OCI registry connection. This skips TLS certificate verification and poses security risks. Only use this in testing or development environments.")`
`127`	`129`	`// InsecureSkipVerify is used only when explicitly configured for testing or development environments`
`128`	`130`	`// This is controlled by the user through configuration and should not be used in production`
`129`	`131`	`opts = append(opts, remote.WithTransport(&http.Transport{`