On Thu, Dec 22, 2022 at 11:35:35PM +0600, ???? ??????? wrote: > here's how it works > > (unfortunately, github does not allow secret named GITHUB_ , so I created > secret "TOKEN" and assigned it to variable GITHUB_API_TOKEN) > > I also added "env" to print all variables, you can value of > GITHUB_API_TOKEN is masked. is it set to wrong value, so api call failed: > > https://github.com/chipitsine/haproxy/actions/runs/3759885064/jobs/6389967966
OK, it was supposed to appear at line 27 and was maked in the console output. And the backtrace didn't reveal the value of the argument, just their name. So normally if it fails in urllib.request.Request() it should only log the URL and "headers", nothing more. In that case I think it's acceptable. We'll just need to watch from time to time and destroy the token if we notice it for whatever other reason (e.g. debug mode enabled in HTTP fetch showing headers etc). Sorry for being annoying but you'll agree that the whole security around this is extremely fragile and solely relies on the console filtering known strings! So now the next step will be for me to find my way through the painful settings interface. I'll find Tim's previous howto in my mails. Thanks! Willy
