[Twisted-Python] Codecov.io security incident
Glyph
glyph at twistedmatrix.com
Fri Apr 16 13:14:23 MDT 2021
> On Apr 16, 2021, at 11:26 AM, Adi Roiban <adi at roiban.ro <mailto:adi at roiban.ro>> wrote:
>
> For twisted/twisted and I think that other repos the main secret available for GitHub Action is the PYPY upload token.
Just to make sure here - you mean PyPI, right?
> I guess that what we can do is stop using the codecov.io <http://codecov.io/> bash uploaded and
> switch back to python uploader.
>
> Any other ideas ?
I think we are actually OK given the constraints on the env vars, but just to be safe, we should invalidate / rotate the PyPI upload token. Any admins have a few spare minutes to do that? (And likeā¦ check to make sure nobody uploaded anything surprising on our project page ;-)).
-g
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20210416/679b89ae/attachment.htm>
More information about the Twisted-Python
mailing list