you can limit token scope to read repo information. [image: image.png]
чт, 22 дек. 2022 г. в 23:49, Willy Tarreau <w...@1wt.eu>: > On Thu, Dec 22, 2022 at 11:35:35PM +0600, ???? ??????? wrote: > > here's how it works > > > > (unfortunately, github does not allow secret named GITHUB_ , so I created > > secret "TOKEN" and assigned it to variable GITHUB_API_TOKEN) > > > > I also added "env" to print all variables, you can value of > > GITHUB_API_TOKEN is masked. is it set to wrong value, so api call failed: > > > > > https://github.com/chipitsine/haproxy/actions/runs/3759885064/jobs/6389967966 > > OK, it was supposed to appear at line 27 and was maked in the console > output. And the backtrace didn't reveal the value of the argument, just > their name. So normally if it fails in urllib.request.Request() it should > only log the URL and "headers", nothing more. > > In that case I think it's acceptable. We'll just need to watch from time > to time and destroy the token if we notice it for whatever other reason > (e.g. debug mode enabled in HTTP fetch showing headers etc). Sorry for > being annoying but you'll agree that the whole security around this is > extremely fragile and solely relies on the console filtering known > strings! > > So now the next step will be for me to find my way through the painful > settings interface. I'll find Tim's previous howto in my mails. > > Thanks! > Willy >