On Thu, Dec 22, 2022 at 11:00:26PM +0600, ???? ??????? wrote: > I'm not sure if it possible to issue organization based token (not a > personal one). > > As for visibility, secrets are not visible for pull requests.
My concern is not that they are in PR or any such thing, but they're passed in HTTP requests and function arguments in python scripts. So once we get a failure, if the failed request is dumped into the CI's logs, or if the python interpreter emits a stack trace with all arguments to the functions in the stack, the build logs will reveal the secret. Maybe there's a way to be certain that the logs from the python script are never dumped to publicly accessible logs, or to redirect them to files only accessible to authorized people, and that would be fine, but until this, I don't know what such guarantees we have. This is my concern regarding the use of this token like this. Thanks, Willy
