[Ci-users] api key not really used in a secret way

Colin Walters walters at verbum.org
Wed Apr 13 16:13:34 UTC 2016


Not that this really matters a lot since we can probably
trust each other right now not to use other's resources, but I noticed
many people end up leaking the API key
publicly, e.g.
https://ci.centos.org/job/bstinson-centpkg-unittests/configure
and
https://ci.centos.org/job/adb-openshift-vagrantfile-tests/12/console
and several others.

The two problems seem to be including the Python script raw
as a builder (which Jenkins exposes as public data), or
injecting it as an environment variable (which shows up in the Jenkins
console logs).

I created:
https://github.com/kbsingh/centos-ci-scripts/pull/4
but since there are many forks of this now, multiple groups will
need to change their copies too.




More information about the Ci-users mailing list