ALERT: Potential exposure of PyPI tokens

Question

ALERT: Potential exposure of PyPI tokens

effigies opened this issue 3 years ago · comments

This morning (15 April 2021), I received a security update from CodeCov: https://about.codecov.io/security-update/

PyBV was affected by this issue because we use the CodeCov GitHub action, which means tokens were potentially exposed. There are PYPI secrets in the repository settings that should be revoked.

I strongly suggest moving to API tokens that are more easily rotated in the future.

Stefan Appelhoff · Answer 1 · Thu Apr 15 2021 23:53:26 GMT+0800 (China Standard Time)

Thanks @effigies, I changed pypi passwords and updated the tokens.

I strongly suggest moving to API tokens that are more easily rotated in the future.

do you have further information on what you mean by that?

Chris Markiewicz · Answer 2 · Fri Apr 16 2021 00:51:03 GMT+0800 (China Standard Time)

https://pypi.org/help/#apitoken

Stefan Appelhoff · Answer 3 · Fri Apr 16 2021 02:24:34 GMT+0800 (China Standard Time)

I see, thank you.

I generated tokens with repo-specific upload permissions and updated the secrets in GitHub accordingly.