actions-flutter-pub-publisher icon indicating copy to clipboard operation
actions-flutter-pub-publisher copied to clipboard

Published 20 hours ago verified publisher icon sakebook

Possible leak of credential

Open MalcolmMielle opened this issue 3 years ago • 9 comments

For my package adwaita, 'm hit by this error:

Publishing adwaita 0.0.4 to https://pub.dartlang.org:
|-- CHANGELOG.md
|-- LICENSE
|-- README.md
|-- analysis_options.yaml
|-- credentials.json
|-- example
|   |-- README.md
|   |-- lib
|   |   '-- main.dart
|   '-- pubspec.yaml
|-- images
|   |-- dark.png
|   '-- light.png
|-- lib
|   |-- adwaita.dart
|   '-- src
|       |-- theme.dart
|       '-- utils
|           '-- colors.dart
'-- pubspec.yaml
Downloading vector_math 2.1.1...
Downloading typed_data 1.3.0...
Downloading meta 1.7.0...
Downloading collection 1.15.0...
Downloading characters 1.2.0...
Package validation found the following errors:
* line 1, column 197 of credentials.json: Potential leak of Google OAuth Refresh Token detected.
    ╷
  1 │ ***
    │                                                                                                                                                                                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    ╵
* line 1, column 16 of credentials.json: Potential leak of Google OAuth Access Token detected.
    ╷
  1 │ ***
    │                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    ╵
  Add a git-ignore style pattern to `false_secrets` in `pubspec.yaml`

It seems as the actions tries to push my credentials with the package for some reason. I've added the credential as a secret and my yaml file is

name: Publish plugin

on:
  release:
    types: [published]

jobs:
  publish:

    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v1
      - name: Publish
        uses: sakebook/[email protected]
        with:
          credential: ${{ secrets.CREDENTIAL_JSON }}
          flutter_package: false
          skip_test: true
          dry_run: true

Which seems standard :/. What am I missing?

MalcolmMielle avatar Jan 02 '22 11:01 MalcolmMielle

@MalcolmMielle

I guess maybe your credential was expired.

Please try to update your credentials.

sakebook avatar Jan 02 '22 14:01 sakebook

I did a pub logout followed by pub login right before testing the action. Is that enough ?

MalcolmMielle avatar Jan 02 '22 14:01 MalcolmMielle

@MalcolmMielle

Your credentials are stored on GitHub. Please try to update the secret.

sakebook avatar Jan 02 '22 14:01 sakebook

This is what I did before having the problem:

  • pub logout
  • pub login
  • Update secret on GitHub from the new credentials.

I seems to me that the problem is that the credential.json is somehow being upload to pub.dev?

MalcolmMielle avatar Jan 02 '22 15:01 MalcolmMielle

@MalcolmMielle

I see.

Please try to use v1.3.1? I recently updated to v1.4.0. I want to isolate the problem.

sakebook avatar Jan 02 '22 15:01 sakebook

I will try that :)!

Thanks a lot for the help.

Edit: The workflow worked on v1.3.1. No credential.json was pushed on pub.dev

MalcolmMielle avatar Jan 02 '22 15:01 MalcolmMielle

Rolling back to v1.3.1 did not work for me.

BirjuVachhani avatar Apr 03 '22 19:04 BirjuVachhani

I tried adding this line to .pubignore file:

credentials.json

And it works fine but I get another error:

Pub needs your authorization to upload packages on your behalf.

danielgomezrico avatar May 09 '22 19:05 danielgomezrico

HI, Any update on this?

gibahjoe avatar Feb 20 '23 05:02 gibahjoe