Github Actions security (secrets)

[rdica]

Hi all, I was reading about https://www.securityweek.com/github-actions-artifacts-leak-tokens-and-expose-cloud-services-and-repositories/ and recalled seeing mention here that Github Actions were in use.

Are the processes for production of pkgs and tarballs vulnerable to the security issues found?

Do you feel an announcement should be made in general regarding this security issue?

Thanks

[ann0see]

I don't think we have an issue like this at the moment.

users commonly — and mistakenly — upload their entire checkout directory as an artifact.

We don't do that.

Another mistake that had users exposing GitHub tokens in public artifacts occurred by using super-linter, a well-known open-source code linter with a widely used fork maintained by GitHub.

We don't use super-linter. None of the artifacts on this repo are log files.

Concerning caching, we do cache dependencies. While I don't think there's a way to leak the GITHUB_TOKEN, this may be worth investigating again.

Also the autobuild scripts are mostly custom built and don't leak the GitHub token - from our experience so far. If you see an issue there, we should of course investigate this. Pinging @hoffie to judge.

[ann0see]

The Apple signing certs aren't on this repo and won't be. However other secrets like the one for dependency updates is on this repo.