[tor-project] PSA: GitLab tokens expiring

Antoine Beaupré anarcat at torproject.org
Thu Sep 19 20:59:31 UTC 2024 

Hi again,

So remember last May, we all had to jump to fix access tokens in GitLab
because they suddenly started expiring?

No? Well, ignore this message this message then, whoohoo, lucky you.

Yes? Or you've forgotten about this and are thinking "oh shoot, is this
still a thing OMG WILL EVERYTHING BREAK?"

Well, I got you covered. We just upgraded to the shiny new GitLab 17.4
and it has an option to disable maximum expiry dates for access tokens.

So I disabled enforced expiry dates on gitlab.torproject.org.

Note that you will most likely *still* have tokens expiring, and will
very likely require my script below to figure out how to deal with this.

The next catastrophe for this is scheduled in May 2025, because that's
when the tokens we fixed in May 2024 will expire.

But hopefully now you have a way to fix this issue forever.

See also:

https://gitlab.torproject.org/tpo/tpa/team/-/issues/41510

Have a good weekend!

a.

On 2024-05-29 12:09:02, Antoine Beaupré wrote:
> At least one person asked "wait, does this affect me? what is this?", so
> let me clarify a bit.
>
> If you don't know what a personal access token is, you are likely not
> affected and can disregard this.
>
> If you're not sure, and everything is still working, you're likely not
> affected. A precaution might be to look at your projects continuous
> integration (CI) pipelines to see if they are still green, consider
> running scheduled pipelines manually to see if they break.
>
> If you don't know what CI is, you're likely not affected.
>
> If you want to audit your projects thoroughly, you can use an audit
> script I wrote:
>
> https://gitlab.torproject.org/tpo/tpa/gitlab-tools/-/blob/33a00c1f37e3988ba6404f6b68ac503cc120e482/gitlab-tokens-audit.py
>
> it will show you projects with private tokens (before they are expired
> AKA destroyed) and secret project variables that *might* be backed by
> tokens.
>
> Example run for TPA:
>
> https://gitlab.torproject.org/tpo/tpa/team/-/issues/41510#note_2997204
>
> A.
>
> -- 
> Antoine Beaupré
> torproject.org system administration
> _______________________________________________
> tor-project mailing list
> tor-project at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

-- 
Antoine Beaupré
torproject.org system administration

More information about the tor-project mailing list