www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - Temporarily disabled releases for DCD, D-Scanner, dfmt

reply WebFreak001 <d.forum webfreak.org> writes:
CodeCov was compromised and used in some dlang-community 
repositories with the same GitHub access token for travis to 
upload releases. GitHub sent me a mail that the access token was 
potentially compromised and had suspicious behavior.

I have disabled the GitHub access token that is used for 
dlang-community releases, but it seems like I cannot access the 
travis settings to manage secrets anymore. (or can't find them)

So currently the release scripts will be broken. Anyone with 
access to the secrets on Travis who can put in new access tokens?

It used to be tokens by Basile who has quit GitHub before, so I 
replaced them with my personal access tokens which are now 
compromised and can't be used anymore. For new access tokens I 
can't find the access, but it would be nice if the dlang-bot's 
access tokens could be used for this instead.

See https://github.com/dlang-community/DCD/issues/634
May 05 2021
parent reply Basile B. <b2.temp gmx.com> writes:
On Wednesday, 5 May 2021 at 12:26:52 UTC, WebFreak001 wrote:
 CodeCov was compromised and used in some dlang-community 
 repositories with the same GitHub access token for travis to 
 upload releases. GitHub sent me a mail that the access token 
 was potentially compromised and had suspicious behavior.

 I have disabled the GitHub access token that is used for 
 dlang-community releases, but it seems like I cannot access the 
 travis settings to manage secrets anymore. (or can't find them)

 So currently the release scripts will be broken. Anyone with 
 access to the secrets on Travis who can put in new access 
 tokens?

 It used to be tokens by Basile who has quit GitHub before,
No this kind of stuff (CI, devop,...) were always managed by Seb. Eventually maybe the owner of the tokens would be HackerPilot ?
 so I replaced them with my personal access tokens which are now 
 compromised and can't be used anymore. For new access tokens I 
 can't find the access, but it would be nice if the dlang-bot's 
 access tokens could be used for this instead.

 See https://github.com/dlang-community/DCD/issues/634
BTW for the other folks who maybe are not sure what to do: the big problem was when your CI exposed secrets. If you dont expose secrets, like personnal access tokens, you migh have received an alarmous mail, like the one mentioned, but it does not mean that there's a problem. The reason why you might got the email is that at the account level (personnal or organization) 1. you have defined one token. 2. one of the repo registered under this ID uses CodeCov. 3. by security they sent the mail. And even if you have exposed the secret, it does not mean that it had a **Write Access**.
May 05 2021
next sibling parent reply Basile B. <b2.temp gmx.com> writes:
On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:
 The reason why you might got the email is that at the account 
 level (personnal or organization)

 1. you have defined one token.
 2. one of the repo registered under this ID uses CodeCov.
 3. by security they sent the mail.
Lol forget this... this is BS. They cant know that, unless they have colaborated with GH and GL, it's different company. So the reason why we got the second mail might be even more simple: 1. you use CodeCov
May 05 2021
parent Basile B. <b2.temp gmx.com> writes:
On Wednesday, 5 May 2021 at 12:51:37 UTC, Basile B. wrote:
 On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:
 The reason why you might got the email is that at the account 
 level (personnal or organization)

 1. you have defined one token.
 2. one of the repo registered under this ID uses CodeCov.
 3. by security they sent the mail.
Lol forget this... this is BS. They cant know that, unless they have colaborated with GH and GL, it's different company. So the reason why we got the second mail might be even more simple: 1. you use CodeCov
The **write access** criterion is still valid however.
May 05 2021
prev sibling next sibling parent Basile B. <b2.temp gmx.com> writes:
On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:
 On Wednesday, 5 May 2021 at 12:26:52 UTC, WebFreak001 wrote:
 CodeCov was compromised and used in some dlang-community 
 repositories with the same GitHub access token for travis to 
 upload releases. GitHub sent me a mail that the access token 
 was potentially compromised and had suspicious behavior.

 I have disabled the GitHub access token that is used for 
 dlang-community releases, but it seems like I cannot access 
 the travis settings to manage secrets anymore. (or can't find 
 them)

 So currently the release scripts will be broken. Anyone with 
 access to the secrets on Travis who can put in new access 
 tokens?

 It used to be tokens by Basile who has quit GitHub before,
No this kind of stuff (CI, devop,...) were always managed by Seb. Eventually maybe the owner of the tokens would be HackerPilot ?
I remember now. I've deleted the ones setup by Seb by error. Then automatic releases were broken. Then the ones I regenerated did not work because I missed some info to link to the release bot, probably only Seb could do that. So those tokens were not able to do anything anyway. You should test if the new ones are able to upload, let's say by pushing a tag somewhere. You should find a trace of this, in the community discussion of dlang-community.
May 05 2021
prev sibling parent reply WebFreak001 <d.forum webfreak.org> writes:
On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:
 On Wednesday, 5 May 2021 at 12:26:52 UTC, WebFreak001 wrote:
 [...]
No this kind of stuff (CI, devop,...) were always managed by Seb. Eventually maybe the owner of the tokens would be HackerPilot ?
oh right sorry, thought that was the case because they broke roughly around that time.
 [...]
BTW for the other folks who maybe are not sure what to do: the big problem was when your CI exposed secrets. If you dont expose secrets, like personnal access tokens, you migh have received an alarmous mail, like the one mentioned, but it does not mean that there's a problem. The reason why you might got the email is that at the account level (personnal or organization) 1. you have defined one token. 2. one of the repo registered under this ID uses CodeCov. 3. by security they sent the mail. And even if you have exposed the secret, it does not mean that it had a **Write Access**.
I think it was compromised because they sent me a mail that it had been used in "suspicious requests" along with information of the IPs that made the requests.
May 05 2021
parent Basile B. <b2.temp gmx.com> writes:
On Wednesday, 5 May 2021 at 15:13:17 UTC, WebFreak001 wrote:
 On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:
 On Wednesday, 5 May 2021 at 12:26:52 UTC, WebFreak001 wrote:
 [...]
No this kind of stuff (CI, devop,...) were always managed by Seb. Eventually maybe the owner of the tokens would be HackerPilot ?
oh right sorry, thought that was the case because they broke roughly around that time.
 [...]
BTW for the other folks who maybe are not sure what to do: the big problem was when your CI exposed secrets. If you dont expose secrets, like personnal access tokens, you migh have received an alarmous mail, like the one mentioned, but it does not mean that there's a problem. The reason why you might got the email is that at the account level (personnal or organization) 1. you have defined one token. 2. one of the repo registered under this ID uses CodeCov. 3. by security they sent the mail. And even if you have exposed the secret, it does not mean that it had a **Write Access**.
I think it was compromised because they sent me a mail that it had been used in "suspicious requests" along with information of the IPs that made the requests.
I did not get this one for my gitlab stuff. I got the first one like everyone. A second a few days ago, saying "you're compromised", but there was no details like an IP. Anyway you should try to push a tag in one of the repo with the new token. There are chances that this will not work, as those you deleted did not either, as it did not way before the codecov security event.
May 05 2021