On Thu, Dec 22, 2022 at 06:20:26PM +0100, William Lallemand wrote: > On Thu, Dec 22, 2022 at 06:12:46PM +0100, Willy Tarreau wrote: > > On Thu, Dec 22, 2022 at 11:00:26PM +0600, ???? ??????? wrote: > > > I'm not sure if it possible to issue organization based token (not a > > > personal one). > > > > > > As for visibility, secrets are not visible for pull requests. > > > > My concern is not that they are in PR or any such thing, but they're > > passed in HTTP requests and function arguments in python scripts. So > > once we get a failure, if the failed request is dumped into the CI's > > logs, or if the python interpreter emits a stack trace with all > > arguments to the functions in the stack, the build logs will reveal > > the secret. Maybe there's a way to be certain that the logs from the > > python script are never dumped to publicly accessible logs, or to > > redirect them to files only accessible to authorized people, and that > > would be fine, but until this, I don't know what such guarantees we > > have. This is my concern regarding the use of this token like this. > > > > Thanks, > > Willy > > You need to be logged to see the logs of the CI, I don't know if it is > only accessible to the people in the haproxy group or if it only need to > be logged to github.
OK. At least this is something we need to verify before proceeding. I don't know if anyone has access to an account not part of the users here. Or conversely maybe we can try to look for another project's CI logs. Willy
