On Thu, Dec 22, 2022 at 06:12:46PM +0100, Willy Tarreau wrote: > On Thu, Dec 22, 2022 at 11:00:26PM +0600, ???? ??????? wrote: > > I'm not sure if it possible to issue organization based token (not a > > personal one). > > > > As for visibility, secrets are not visible for pull requests. > > My concern is not that they are in PR or any such thing, but they're > passed in HTTP requests and function arguments in python scripts. So > once we get a failure, if the failed request is dumped into the CI's > logs, or if the python interpreter emits a stack trace with all > arguments to the functions in the stack, the build logs will reveal > the secret. Maybe there's a way to be certain that the logs from the > python script are never dumped to publicly accessible logs, or to > redirect them to files only accessible to authorized people, and that > would be fine, but until this, I don't know what such guarantees we > have. This is my concern regarding the use of this token like this. > > Thanks, > Willy
You need to be logged to see the logs of the CI, I don't know if it is only accessible to the people in the haproxy group or if it only need to be logged to github. -- William Lallemand
