New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't leak GitHub tokens when pushing #13507
Conversation
@bors-servo r+ |
📌 Commit 4562598 has been approved by |
4562598
to
a838c53
Compare
Since the queue is pretty long, I've updated this to a more secure method. r? @SimonSapin One thing I'm unsure of is whether there should be a colon ( |
Looks ok to me, though I’ve never used Does this need corresponding changes on the CI servers? |
a838c53
to
32f082c
Compare
I spent some time looking at the git credentials documentation and I couldn't really understand how it worked, so I've moved away from that in the interest of knowing how our scripts work. This is now using the previous method of simply redirecting stdout/stderr, which is simpler and well-understood. |
If git is unable to resolve the repo address (which includes the token), it will print a message to stderr with the path to the repo, thus leaking the token. Avoid doing this, and also suppress stdout to be extra careful.
32f082c
to
630b523
Compare
@bors-servo r+ |
📌 Commit 630b523 has been approved by |
…Sapin Don't leak GitHub tokens when pushing <!-- Please describe your changes on the following line: --> --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [ ] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [ ] These changes fix #__ (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes OR - [x] These changes do not require tests because they just remove output/were lightly tested by hand <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> If git is unable to resolve the repo address (which includes the token), it will print a message to stderr with the path to the repo, thus leaking the token. Avoid doing this. <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/13507) <!-- Reviewable:end -->
☀️ Test successful - arm32, arm64, linux-dev, linux-rel-css, linux-rel-wpt, mac-dev-unit, mac-rel-css, mac-rel-wpt1, mac-rel-wpt2, windows-dev |
./mach build -d
does not report any errors./mach test-tidy
does not report any errorsIf git is unable to resolve the repo address (which includes the token),
it will print a message to stderr with the path to the repo, thus
leaking the token. Avoid doing this.
This change is