Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the hex.pm/orgs/dependabot token #7532

Merged
merged 1 commit into from Jul 7, 2023
Merged

Update the hex.pm/orgs/dependabot token #7532

merged 1 commit into from Jul 7, 2023

Conversation

jeffwidman
Copy link
Member

@jeffwidman jeffwidman commented Jul 7, 2023
edited

The previous token was tied to a user account of someone who is no longer on the Dependabot team. When I removed that user from the Hex org, this test started breaking.

So this updates the token to an organization-based token, which is not tied to any user.

This is a read-only token, which has access to all private packages in the https://hex.pm/orgs/dependabot org.

This is a security risk if we don't realize this and accidentally upload a private test package to this organization that we don't want to make public, but there's currently no way to prevent that other than using two separate organizations.

I filed a feature request upstream:

@jeffwidman jeffwidman requested a review from a team as a code owner July 7, 2023 17:39
@github-actions github-actions bot added the L: elixir:hex Elixir packages via hex label Jul 7, 2023
@jeffwidman
Update the hex.pm/orgs/dependabot token
28b1e9b 
The previous token was tied to a user account of someone who is no longer on the Dependabot team. When I removed that user from the Hex org, this [test started breaking](https://github.com/dependabot/dependabot-core/actions/runs/5487053978/jobs/9997970150?pr=7525).

So this updates the token to an organization-based token, which is not tied to any user.

This is a read-only token, which has access to _all_ private packages in the https://hex.pm/orgs/dependabot org.

This is a security risk if we don't realize this and accidentally upload a private test package to this organization that we don't want to make public, but there's currently no way to prevent that other than using two separate organizations.

I filed a feature request upstream:
* hexpm/hexpm#1205
@jeffwidman jeffwidman changed the title Update the hex.pm token Update the hex.pm/orgs/dependabot token Jul 7, 2023
jurre
jurre approved these changes Jul 7, 2023
View reviewed changes
Copy link
Member

@jurre jurre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is OK for now, but maybe we could move the secret into actions secrets and reference it as an environment variable in our tests?

@jeffwidman
Copy link
Member Author

maybe we could move the secret into actions secrets and reference it as an environment variable in our tests?

I considered it, but thought that since this is technically a unit test in open source, my expectation is anyone should be able to run these tests... we generally tell folks "run rspec and it should all pass".

Since this is really an integration test, do we have a place where we set those up and open source folks don't necessarily expect to be able to run those? Would smoke tests fit under that category?

@jeffwidman jeffwidman merged commit df6e81c into main Jul 7, 2023
102 checks passed
@jeffwidman jeffwidman deleted the update-hex-org-token branch July 7, 2023 18:02
@jeffwidman
Copy link
Member Author

jeffwidman commented Jul 7, 2023
edited

Happy to migrate this to an actions secret if instead we decide we don't expect it to pass for open source collaborators...

@jeffwidman jeffwidman mentioned this pull request Jul 7, 2023
Merged
@jeffwidman
Copy link
Member Author

jeffwidman commented Jul 7, 2023
edited

We chatted about this internally a bit more and decided to stop exposing these tokens in plain text:

brettfo pushed a commit to brettfo/dependabot-core that referenced this pull request Oct 11, 2023
@jeffwidman
Update the hex.pm/orgs/dependabot token (dependabot#7532)
96d7aa8 
The previous token was tied to a user account of someone who is no longer on the Dependabot team. When I removed that user from the Hex org, this [test started breaking](https://github.com/dependabot/dependabot-core/actions/runs/5487053978/jobs/9997970150?pr=7525).

So this updates the token to an organization-based token, which is not tied to any user.

This is a read-only token, which has access to _all_ private packages in the https://hex.pm/orgs/dependabot org.

This is a security risk if we don't realize this and accidentally upload a private test package to this organization that we don't want to make public, but there's currently no way to prevent that other than using two separate organizations.

I filed a feature request upstream:
* hexpm/hexpm#1205
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jurre jurre jurre approved these changes

Assignees
No one assigned
Labels
L: elixir:hex Elixir packages via hex
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jeffwidman @jurre