<https://blog.teddykatz.com/2021/03/17/github-acti...
# corem
Mike Myers
03/24/2021, 5:42 PMhttps://blog.teddykatz.com/2021/03/17/github-actions-write-access.html that is not good to read
Mike Myers
03/24/2021, 5:43 PMthe TLDR: GitHub secrets are safest in private repos
s
seph
03/24/2021, 7:09 PM
I don't think any of our current plans have much for secrets.
seph
03/24/2021, 7:09 PM
But yeah, I also read this a ago
seph
03/24/2021, 7:09 PM
Definitely doesn't sound good.
seph
03/24/2021, 7:10 PM
Also sounds related to the long known and ignored thing where I can make it look like shas are part of upstream repos.
t
theopolis
03/24/2021, 11:13 PM
Everything has bugs, what’s impressive is GitHub’s response and the timeline, demonstrating again that they take this seriously.
theopolis
03/24/2021, 11:15 PM
I’d still trust Secrets, but out long term plan is to use 1password or a similar off-platform solution to hold API access to credentials. This way we can incorporate a MFA check too.
👌 1
s
seph
03/24/2021, 11:52 PM
maybe. Sorta? I think github has some pretty neat security stuff (the various scanning. the semmle acquisition). And while this did get fixed promptly, I think it’s also a bandaid because some backend can’t actually tell what org a commit is from. So there’s a shakey base.
seph
03/24/2021, 11:52 PM
(hahahaha, like c memory management)
9 Views