[tor-project] PSA: GitLab tokens expiring
Antoine Beaupré
anarcat at torproject.org
Wed May 29 16:09:02 UTC 2024
At least one person asked "wait, does this affect me? what is this?", so
let me clarify a bit.
If you don't know what a personal access token is, you are likely not
affected and can disregard this.
If you're not sure, and everything is still working, you're likely not
affected. A precaution might be to look at your projects continuous
integration (CI) pipelines to see if they are still green, consider
running scheduled pipelines manually to see if they break.
If you don't know what CI is, you're likely not affected.
If you want to audit your projects thoroughly, you can use an audit
script I wrote:
https://gitlab.torproject.org/tpo/tpa/gitlab-tools/-/blob/33a00c1f37e3988ba6404f6b68ac503cc120e482/gitlab-tokens-audit.py
it will show you projects with private tokens (before they are expired
AKA destroyed) and secret project variables that *might* be backed by
tokens.
Example run for TPA:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/41510#note_2997204
A.
--
Antoine Beaupré
torproject.org system administration
More information about the tor-project
mailing list