init repo with secret token

Open antoine-pous opened this issue 7 years ago • 2 comments

Currently anybody can configure any repo on any discord, this is a security issue.

Requiring the repo secret token is the best way to fix it and avoid infos leak through your bot.

Nov 28 '18 14:11 antoine-pous

Not much info can be leaked apart from commit messages, issues & merge requests, but I agree. This is planned for the future. May use Gitlab oAuth as well... not sure.

Nov 28 '18 20:11 dsevillamartin

Commit give infos about new features/security fixes etc... Then it's a security issue to not support the repo token.

Adding Access token would be cool too, but a guy with read-only access shouldn't be able to configure the repo, this is why i'd prefer to use the repo token.

Nov 29 '18 10:11 antoine-pous