I think the pre-verified code could run on a separate system with
restricted access.
That's how self-service works for creating mailing lists, for example.
In this case, there would need to be a separate host with read access
to Jenkins.
It could accept publish requests from Jenkins, and route the
Hi Greg,
Yes, the token is needed to push to calcite-site as we are running the
job in the calcite repository. In terms of the token, if we are pushing
to the calcite-site using Gitbox, then the token would be the one that
is currently used in the git-websites node on Jekins. If we want to pus
Secrets masking is another thing that only works for basic cases. Don’t try
encoding it and printing it, for example. Just a different character set
can throw off some tools let alone base 64.
On Wed, Aug 28, 2019 at 04:23, Francis Chuang
wrote:
> Hi Greg,
>
> Yes, the token is needed to push to
Continuing the top-post trend...
I'd rather see full audit logs kept ~forever for any use of credentials,
including the code that was executed.
If we can't stop the leak, we can at least keep the paper trail.
Right now, with our aggressive build cleanup steps, I don't think this
is happening. Ar
