New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the hex.pm/orgs/dependabot
token
#7532
Conversation
The previous token was tied to a user account of someone who is no longer on the Dependabot team. When I removed that user from the Hex org, this [test started breaking](https://github.com/dependabot/dependabot-core/actions/runs/5487053978/jobs/9997970150?pr=7525). So this updates the token to an organization-based token, which is not tied to any user. This is a read-only token, which has access to _all_ private packages in the https://hex.pm/orgs/dependabot org. This is a security risk if we don't realize this and accidentally upload a private test package to this organization that we don't want to make public, but there's currently no way to prevent that other than using two separate organizations. I filed a feature request upstream: * hexpm/hexpm#1205
28f373d
to
28b1e9b
Compare
hex.pm/orgs/dependabot
token
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is OK for now, but maybe we could move the secret into actions secrets and reference it as an environment variable in our tests?
I considered it, but thought that since this is technically a unit test in open source, my expectation is anyone should be able to run these tests... we generally tell folks "run Since this is really an integration test, do we have a place where we set those up and open source folks don't necessarily expect to be able to run those? Would smoke tests fit under that category? |
Happy to migrate this to an actions secret if instead we decide we don't expect it to pass for open source collaborators... |
We chatted about this internally a bit more and decided to stop exposing these tokens in plain text: |
The previous token was tied to a user account of someone who is no longer on the Dependabot team. When I removed that user from the Hex org, this [test started breaking](https://github.com/dependabot/dependabot-core/actions/runs/5487053978/jobs/9997970150?pr=7525). So this updates the token to an organization-based token, which is not tied to any user. This is a read-only token, which has access to _all_ private packages in the https://hex.pm/orgs/dependabot org. This is a security risk if we don't realize this and accidentally upload a private test package to this organization that we don't want to make public, but there's currently no way to prevent that other than using two separate organizations. I filed a feature request upstream: * hexpm/hexpm#1205
The previous token was tied to a user account of someone who is no longer on the Dependabot team. When I removed that user from the Hex org, this test started breaking.
So this updates the token to an organization-based token, which is not tied to any user.
This is a read-only token, which has access to all private packages in the https://hex.pm/orgs/dependabot org.
This is a security risk if we don't realize this and accidentally upload a private test package to this organization that we don't want to make public, but there's currently no way to prevent that other than using two separate organizations.
I filed a feature request upstream: