Fix: Move Coveralls token to GitHub secret (resolves #4918) #4954
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KaganCanSit
force-pushed
the
hide-coveralls-token
branch
from
fdb06ed to
e300773
Compare
KaganCanSit
force-pushed
the
hide-coveralls-token
branch
from
e300773 to
801e172
Compare
KaganCanSit
force-pushed
the
hide-coveralls-token
branch
from
801e172 to
d28acf5
Compare
Collaborator
|
@randombit Is there anything we can do to help here? Apparently automatic scanners (e.g. gitguardian.com) pick this up and contacted us about a potential security issue regarding this token in the R&S fork. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello @randombit,
There is an issue notification #4918 that the Coveralls repository token
.github/workflows/ci.ymlis publicly visible. As noted, it has the potential to create a security vulnerability. Test outputs can be routed externally, buggy code content can be hidden, long term obfuscation can be done, etc.To address this, ci.yml has been updated to use
${{{ secrets.COVERALLS_REPO_TOKEN }}instead of the hardcoded token.@randombit I see that this development is currently assigned to you, I wanted to help to save you some time.
You can introduce the current open token as the new secret and update it with a new token after seeing ci.yml run successfully. The old one will be canceled in this way.
Hope it will save time, best regards.