Codecov Bash Uploader Security Notice

[psychon]

I got a mail on the 15th. See https://about.codecov.io/security-update/.

TL;DR: All secrets used on Travis CI might be compromised.

AFAIK this includes a token with write access to https://github.com/awesomeWM/apidoc, which is relatively low-risk.

This issue is FYI. Feel free to just close this. I don't know what to do, so I just opened this issue.

[Aire-One]

I don't know who has permissions for, but I guess someone needs to reroll all our secrets/API keys from Travis and codecov.

BTW, I'm not sure how it's actually handled, but aren't some of our API keys hardcoded in our travis.yml anyway?

[psychon]

aren't some of our API keys hardcoded in our travis.yml anyway?

Yup:

awesome/.travis.yml

Lines 97 to 98 in fda950d

	# Secure GH_APIDOC_TOKEN to push to awesomeWM/apidoc.
	- secure: "R/HYDclnws1I1+v9Yjt+RKa4CsFhbBT9tiwE3EfPhEj2KCYX4sFRMxuZvLf5sq0XWdrQaPhQ54fgAZGr3f054JKRXcTB0g9J6nhSHz9kIjPh446gafUhEeDQcZRwM/MeCWiwFIkiZm6smYoDFE9JTWu6quNV+lQ4kcVDOp2ibEc="

This might actually be the only secret. I looked at https://travis-ci.com/github/awesomeWM/awesome/settings and there are no environment variables listed. No idea where else a "secret" could be hiding.

However, no idea how this GH_API_TOKEN works. I clicked around a bit in "Settings" and only found "deploy keys", but there are none configured.