randombit
Fix: Move Coveralls token to GitHub secret (resolves #4918)
Hello @randombit,
There is an issue notification #4918 that the Coveralls repository token .github/workflows/ci.yml is publicly visible. As noted, it has the potential to create a security vulnerability. Test outputs can be routed externally, buggy code content can be hidden, long term obfuscation can be done, etc.
To address this, ci.yml has been updated to use ${{{ secrets.COVERALLS_REPO_TOKEN }} instead of the hardcoded token.
This requires maintainer action to create the repository secret.
@randombit I see that this development is currently assigned to you, I wanted to help to save you some time.
You can introduce the current open token as the new secret and update it with a new token after seeing ci.yml run successfully. The old one will be canceled in this way.
Hope it will save time, best regards.
@randombit Is there anything we can do to help here? Apparently automatic scanners (e.g. gitguardian.com) pick this up and contacted us about a potential security issue regarding this token in the R&S fork.
