Posted Jun 11, 2026 11:11 UTC (Thu) by kleptog (subscriber, #1183) [Link] (1 responses)
> Long lived upload tokens were never as problematic, to the best of my knowledge. The problem is doing uploads from a CI that runs god knows what.
So all the creds stolen in the Trivy compromise weren't a problem? Stolen Cisco code for example.
Doing uploads from CI/CD is very common. Even Debian publishes packages built from a build server. No-one has vetted all that code. Not relying on such tokens for common actions is an improvement.
Posted Jun 11, 2026 16:10 UTC (Thu) by mathstuf (subscriber, #69389) [Link]
The issue, AIUI, is that folks just "add secrets" to their pipelines willy-nilly. Even though we run our own CI infra, we still:
- restrict secrets to protected refs (so MR pipelines don't get them)
- only provided to named environments (so that build jobs don't get upload tokens)
These secret-using jobs tend to be of the "install rsync, run rsync"-level of complexity to keep even what runs with access to the secrets to a minimum.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。