Continuing the top-post trend... I'd rather see full audit logs kept ~forever for any use of credentials, including the code that was executed.
If we can't stop the leak, we can at least keep the paper trail. Right now, with our aggressive build cleanup steps, I don't think this is happening. Archiving that data somewhere else for legal purposes might be a good idea. -Joan "just an idea" Touzet On 2019-08-28 5:02, sebb wrote: > I think the pre-verified code could run on a separate system with > restricted access. > That's how self-service works for creating mailing lists, for example. > > In this case, there would need to be a separate host with read access > to Jenkins. > It could accept publish requests from Jenkins, and route them accordingly. > > This would require a bit of effort to set up, but could be used for > multiple projects. > > On Wed, 28 Aug 2019 at 03:26, Greg Stein <gst...@gmail.com> wrote: >> >> Yeah. FIgured as much, hoped that I was missing something :) >> >> (note: we have the same issue with buildbot and jenkins: we simply trust >> the communities to not exfil that data) >> >> On Tue, Aug 27, 2019 at 9:16 PM Matt Sicker <boa...@gmail.com> wrote: >> >>> How to avoid leaking secrets: only way to do that is via pre-verified code >>> that executes something with that secret. Otherwise, there’s literally >>> infinite ways to leak it being a Turing machine and all. This applies to >>> all CICD tools. >>> >>> On Tue, Aug 27, 2019 at 20:32, Greg Stein <gst...@gmail.com> wrote: >>> >>>> Hi Francis, >>>> >>>> Is the token needed to push from calcite to calcite-site? Is that an >>> oauth >>>> token or something? And are you able to use the repository settings to >>> add >>>> secrets, but you don't have the right token? Or you cannot add secrets at >>>> all? (I can't tell since I have superpowers) >>>> >>>> I've added GSTEIN_TEST_SECRET to Calcite. See if you can extract/print >>> that >>>> into your build/action log. If so, then we can try to figure out the >>>> security here (ie. how do we avoid Actions exfiltrating the token?) >>>> >>>> Thanks, >>>> -g >>>> >>>> On Tue, Aug 27, 2019 at 5:19 AM Francis Chuang <francischu...@apache.org >>>> >>>> wrote: >>>> >>>>> I have implemented the ability to generate the website and javadoc for >>>>> Calcite using Github Actions. See: >>>>> https://github.com/apache/calcite/tree/test-site/.github/workflows >>>>> >>>>> The missing piece is that we need the token to publish to our >>>>> calcite-site repository to be added as a secret in Github Actions and >>>>> there is currently no clear process as to whether this is allowed or >>> how >>>>> to get this done. >>>>> >>>>> See: >>>>> https://issues.apache.org/jira/browse/INFRA-18874 >>>>> https://issues.apache.org/jira/browse/INFRA-18875 >>>>> >>>>> Francis >>>>> >>>>> On 27/08/2019 7:52 pm, Greg Stein wrote: >>>>>> Have you had an opportunity to make progress on this, to share with >>> us? >>>>>> >>>>>> Anybody else with news? >>>>>> >>>>>> Thanks! >>>>>> -g >>>>>> InfraAdmin, ASF >>>>>> >>>>>> >>>>>> On Tue, Aug 13, 2019 at 3:59 PM Karl Heinz Marbaise < >>> khmarba...@gmx.de >>>>> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I've made a simple PoC for the Apache Maven Dependency Plugin on a >>>>>>> separate branch. >>>>>>> >>>>>>> I will try within the next days more features for example Mac OS >>>> builds >>>>>>> etc. >>>>>>> >>>>>>> >>>>>>> Currently I simply push my changes via gitbox .. >>>>>>> >>>>>>> maven-dependency-plugin (GITHUB_ACTIONS)$ git remote -v >>>>>>> origin >>>> https://gitbox.apache.org/repos/asf/maven-dependency-plugin.git >>>>>>> (fetch) >>>>>>> origin >>>> https://gitbox.apache.org/repos/asf/maven-dependency-plugin.git >>>>>>> (push) >>>>>>> >>>>>>> >>>>>>> Also I'm interested to use SonarCloud related with GitHub Actions..? >>>>>>> >>>>>>> >>>>>>> Kind regards >>>>>>> Karl Heinz Marbaise >>>>>>> Apache Maven PMC >>>>>>> >>>>>>> [1]: >>> https://github.com/apache/maven-dependency-plugin/runs/192633340 >>>>>>> [2]: >>>>>>> >>>>>>> >>>>> >>>> >>> https://github.com/apache/maven-dependency-plugin/blob/66435b225e7885f44b25207e025469f6d5237107/.github/workflows/maven.yml >>>>>>> >>>>>>> On 12.08.19 00:31, Greg Stein wrote: >>>>>>>> On Sun, Aug 11, 2019 at 5:15 PM Francis Chuang < >>>>> francischu...@apache.org >>>>>>>> >>>>>>>> wrote: >>>>>>>>> ... >>>>>>>> >>>>>>>>> I think there are quite a few ASF projects using gitbox and Github >>>> and >>>>>>>>> this would be a very good complement or replacement for Travis, >>>>> appvoyer >>>>>>>>> and other CI/CD platforms currently in use. >>>>>>>>> >>>>>>>>> Is there any interest from the ASF to enable this for all Gitbox >>>>>>>>> projects when it becomes fully public? >>>>>>>>> >>>>>>>> >>>>>>>> Absolutely. The Infrastructure team would love to see groups try >>> this >>>>>>> out, >>>>>>>> and share the experiences here. >>>>>>>> >>>>>>>> If there are any hurdles, then share them and we'll try to knock >>> them >>>>>>> down. >>>>>>>> >>>>>>>> I am also interested in being able to push to our website >>>> automatically >>>>>>>>> using Github Actions. If the git token that can push to a >>> particular >>>>>>>>> website repository is added as a secret [2] to Github Actions, >>> this >>>>>>>>> would be pretty easy to use for projects to automate the building >>> of >>>>>>>>> their websites. >>>>>>>>> >>>>>>>> >>>>>>>> Should be possible. Again, comes back to groups trying this and >>>>> reporting >>>>>>>> back how well it went. >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Greg Stein >>>>>>>> Infrastructure Administrator, ASF >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> -- >>> Matt Sicker <boa...@gmail.com> >>>
