You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 3, 2023. It is now read-only.
The current project template suggests users to include their VSTS Marketplace token in the settings.json file. Which is scary as hell, as this is an all accounts token and many people are likely to use all scopes because it's easier.
Instead I'd suggest to point to a token.json which is not included in the project and a piece of documentation on how to create it and why not to put it into source control.
Including a tfignore/gitignore that auto-excludes this token.json would prevent accidental inclusion.
The text was updated successfully, but these errors were encountered:
I can definitely add the ignore files. The settings.tfx.json file that is in the template currently would most likely be the file to exclude, as it has the publish settings. To be fair, there is nothing explicit in the template that tells users to check in their sensitive information via the settings.tfx.json file. Much like you shouldn't store your connection string information in your app.config but many folks forget to sanitize that file prior to checkin.
I'll leave this open until I get the changes into master. Thanks for the feedback!
I understand that people shouldn't check in sensitive data, you understand it, but I wonder whether all people understand it and, since Visual Studio will auto-pend-add the file after project creation, mistakes are easy to make.
Since some of the settings in the settings.json make sense to be checked in I'd put the API token in a separate file if the project.json understands that. That would make it very explicit.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The current project template suggests users to include their VSTS Marketplace token in the settings.json file. Which is scary as hell, as this is an all accounts token and many people are likely to use all scopes because it's easier.
Instead I'd suggest to point to a token.json which is not included in the project and a piece of documentation on how to create it and why not to put it into source control.
Including a tfignore/gitignore that auto-excludes this token.json would prevent accidental inclusion.
The text was updated successfully, but these errors were encountered: