Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
why do pipelines have $BUILDKITE_AGENT_TOKEN set by default? #404
E.g. in a large org a rogue employee could easily trigger a CI job and print out $BUILDKITE_AGENT_TOKEN and then push a force commit to remove the echo statement and pretty much no one would ever know they have this org level credential.
I'm not sure what a rogue employee could actually do with the agent token, but I can't see the use in exposing it to pipelines, especially by default.
Likewise with the
Instead, each pipeline should get a brand new access token it can use. That way, tokens are isolated to only the pipeline that they are exposed in.
This is something we've just recently fixed in buildkite/agent#908 — no longer with the
But your feedback about agent token designs, and pipeline permissions, is something we're actively working to improve. https://forum.buildkite.community/t/multiple-agent-tokens-per-org-with-agent-queue-restrictions/143/5 is probably a relevant feature request worth voting on!
I'm going to close this issue here though, because it's not really a docs issue. Thanks for the feedback!