You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Stop exposing real account tokens in plaintext
Browse filesBrowse the repository at this point in the history
After I rotated the Gemfury/Hex.PM tokens, these unit tests started
failing, which made us realize we've been exposing the account tokens
in the clear.
Historically this was fine because:
1. These private registries were used solely for test accounts, it
didn't matter if they were compromised.
1. Dependabot was a startup manned by a small team, so everyone knew
these registries were publicly exposed and shouldn't be re-used for
anything private.
However, 2锔忊儯 is no longer true... now that is part of
GitHub, the team has grown so there's a risk that someone could upload
something that should stay private to these orgs.
Unfortunately, neither Gemfury nor Hex.PM support limiting the scope of
a token to particular package(s). So while they're read-only, they still
expose everything on the account.
After discussing further, we decided that we no longer want to expose
these tokens, so flipping them to use Env Vars.
Furthermore, these tests exercise private registry auth code in
`dependabot-core`, but we don't use that in production at GitHub.
Instead, we use a [private credential
proxy](https://github.com/dependabot/dependabot-core#private-registry-credential-management).
Long term, we've batted around the idea of open sourcing that, in which
case we'd remove all the private registry auth code from
`dependabot-core`.
So this PR removes the plain text tokens (and I will also delete them
from the registry side to ensure they aren't usable). And wires up env
var support so that if we _do_ need to run these tests, we can still do
that. But it does _not_ go to the trouble of wiring up setting the env
var using GitHub actions because there is a reasonable chance this code
will all be deleted in the not-too-distant future. And until then, it's
not even used by GitHub production, only by folks running
`dependabot-core` standalone. So the impact if this does break is fairly
small and in that case we'd happily accept a contribution to fix things,
but we're unlikely to invest the engineering efforts ourselves to fix
it.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
is part of GitHub, the team has grown so there's a risk that someone could upload something that should stay private to these orgs. Unfortunately, neither Gemfury nor Hex.PM support limiting the scope of a token to particular package(s). So while they're read-only, they still expose everything on the account. After discussing further, we decided that we no longer want to expose these tokens, so flipping them to use Env Vars. Furthermore, these tests exercise private registry auth code in `dependabot-core`, but we don't use that in production at GitHub. Instead, we use a [private credential proxy](https://github.com/dependabot/dependabot-core#private-registry-credential-management). Long term, we've batted around the idea of open sourcing that, in which case we'd remove all the private registry auth code from `dependabot-core`. So this PR removes the plain text tokens (and I will also delete them from the registry side to ensure they aren't usable). And wires up env var support so that if we _do_ need to run these tests, we can still do that. But it does _not_ go to the trouble of wiring up setting the env var using GitHub actions because there is a reasonable chance this code will all be deleted in the not-too-distant future. And until then, it's not even used by GitHub production, only by folks running `dependabot-core` standalone. So the impact if this does break is fairly small and in that case we'd happily accept a contribution to fix things, but we're unlikely to invest the engineering efforts ourselves to fix it.
