Temporarily disabled releases for DCD, D-Scanner, dfmt
Basile B.
b2.temp at gmx.com
Wed May 5 12:39:47 UTC 2021
On Wednesday, 5 May 2021 at 12:26:52 UTC, WebFreak001 wrote:
> CodeCov was compromised and used in some dlang-community
> repositories with the same GitHub access token for travis to
> upload releases. GitHub sent me a mail that the access token
> was potentially compromised and had suspicious behavior.
>
> I have disabled the GitHub access token that is used for
> dlang-community releases, but it seems like I cannot access the
> travis settings to manage secrets anymore. (or can't find them)
>
> So currently the release scripts will be broken. Anyone with
> access to the secrets on Travis who can put in new access
> tokens?
>
> It used to be tokens by Basile who has quit GitHub before,
No this kind of stuff (CI, devop,...) were always managed by Seb.
Eventually maybe the owner of the tokens would be HackerPilot ?
> so I replaced them with my personal access tokens which are now
> compromised and can't be used anymore. For new access tokens I
> can't find the access, but it would be nice if the dlang-bot's
> access tokens could be used for this instead.
>
> See https://github.com/dlang-community/DCD/issues/634
BTW for the other folks who maybe are not sure what to do: the
big problem was when your CI exposed secrets. If you dont expose
secrets, like personnal access tokens, you migh have received an
alarmous mail, like the one mentioned, but it does not mean that
there's a problem.
The reason why you might got the email is that at the account
level (personnal or organization)
1. you have defined one token.
2. one of the repo registered under this ID uses CodeCov.
3. by security they sent the mail.
And even if you have exposed the secret, it does not mean that it
had a **Write Access**.
More information about the Digitalmars-d
mailing list