Do you need any help rotating secrets, etc, @slipset?
I’ve rotated the Coljars secrets I control, but there might be others that I don’t know about, but I’m not sure. So unless you have any keys in clj-yaml/rewrite-clj, I think we’re good.
The clj-commons libs I'm a maintainer on (etaoin, clj-yaml, clj-http-lite, rewrite-clj) are all on GitHub Actions. So no CircleCI concerns there.
Anything needed to be rotated with jar signing secrets?
I've got a loooot of circleci projects and I don't feel like rotating all those things today as I'm still recovering from a stomach flu.. what's the worst that could happen?
First, sorry to hear you've been sick! And glad you are on the mend!
I guess it depends on what doors your secrets unlock. If it is only clojars tokens, I guess you'd notice someone else deploying an artifact.
all my circleci tokens are scoped to individual projects
Mine too
and only give access to deploying on clojars
What about github tokens? If you are using those, depending on the access they grant, might be worth changing?
ah drat, you're right
this will take me 3 days to change the whole shebang, damnit
:sad panda:
yeah, the borkverse is vast, it does suck
The Circle Deploy key should be safe?
deploy key?
ok, I'm not using those I think
I think you are (by default) when you set up a project in Circle?
oh yes, I see now
I'll replace those env vars as best as a I can then... grumble
But normally, these seem to be read only keys (unless you’ve given more privilges) and AFAICT, the leakage of these shouldn’t matter for public repos.
I think you are right @slipset, https://github.blog/2015-06-16-read-only-deploy-keys/. So basically they grant ssh clone privs?
That’s my understanding, so they shouldn’t be a problem unless there are private repos involved, which clj-commons have none.
well, I re-configured a bunch of things and removed all my old tokens, so next time I'm about to deploy and something fails, I'm forced to create a new token
But you won’t remember why nor how 😕
It doesn't matter, I'll just make a new one
And you’ll be on your lawn yelling at the clouds.
yep
but not all on the same day :-D
Well, actually, I don’ think you can.
As I’ve already done so 🙂
awesome, thanks!
Woah! I'm finally part of the elite! But seriously, thanks, this will make life easier.
Such power! Clojars creds re-configured for clj-yaml and clj-http-lite.