airajena commented on code in PR #5388:
URL: https://github.com/apache/fineract/pull/5388#discussion_r2727155155
##########
fineract-doc/slack.gradle:
##########
@@ -0,0 +1,165 @@
+
+import groovy.json.JsonSlurper
+import java.time.Instant
+import java.time.ZoneId
+import java.time.format.DateTimeFormatter
+
+task updateSlackArchive {
+ group = 'documentation'
+ description = 'Fetches Slack messages and generates AsciiDoc archives'
+
+ def outputDir = file("${projectDir}/src/docs/en/chapters/slack_archive")
+ outputs.dir outputDir
+
+ doLast {
+ def token = System.getenv('SLACK_TOKEN')
Review Comment:
Thanks for the security review, Aman!
I've addressed the concerns in the latest push:
- Switched from `System.getenv` to
`providers.environmentVariable("SLACK_TOKEN").getOrNull()`.
This aligns with modern Gradle best practices for input handling and
configuration cache compatibility, ensuring we don't inadvertently *bake
secrets into the cache key* in an unsafe way (which can happen with raw
environment access).
- Confirmed that the token variable is never printed or logged. The script
only logs high-level lifecycle status messages.
- The intention (which I’ll explicitly clarify in the documentation) is that
this token should strictly be a **Bot User OAuth Token** with limited
**read-only scopes** (`channels:read`, `history:read`), rather than a full user
token. This significantly limits the blast radius if the token were ever
mishandled.
With these changes, the secret handling follows standard and safe practices
for **CI-injected secrets in Gradle scripts**.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
