• WebFreak001 (15/15) May 05 2021 CodeCov was compromised and used in some dlang-community
• Basile B. (15/31) May 05 2021 No this kind of stuff (CI, devop,...) were always managed by Seb.
• Basile B. (6/11) May 05 2021 Lol forget this... this is BS. They cant know that, unless they
• Basile B. (2/15) May 05 2021 The **write access** criterion is still valid however.
• Basile B. (9/28) May 05 2021 I remember now. I've deleted the ones setup by Seb by error. Then
• WebFreak001 (6/24) May 05 2021 oh right sorry, thought that was the case because they broke
• Basile B. (8/37) May 05 2021 I did not get this one for my gitlab stuff. I got the first one

WebFreak001 <d.forum webfreak.org> writes:

CodeCov was compromised and used in some dlang-community 
repositories with the same GitHub access token for travis to 
upload releases. GitHub sent me a mail that the access token was 
potentially compromised and had suspicious behavior.

I have disabled the GitHub access token that is used for 
dlang-community releases, but it seems like I cannot access the 
travis settings to manage secrets anymore. (or can't find them)

So currently the release scripts will be broken. Anyone with 
access to the secrets on Travis who can put in new access tokens?

It used to be tokens by Basile who has quit GitHub before, so I 
replaced them with my personal access tokens which are now 
compromised and can't be used anymore. For new access tokens I 
can't find the access, but it would be nice if the dlang-bot's 
access tokens could be used for this instead.

See https://github.com/dlang-community/DCD/issues/634

Basile B. <b2.temp gmx.com> writes:

On Wednesday, 5 May 2021 at 12:26:52 UTC, WebFreak001 wrote:
 CodeCov was compromised and used in some dlang-community 
 repositories with the same GitHub access token for travis to 
 upload releases. GitHub sent me a mail that the access token 
 was potentially compromised and had suspicious behavior.

 I have disabled the GitHub access token that is used for 
 dlang-community releases, but it seems like I cannot access the 
 travis settings to manage secrets anymore. (or can't find them)

 So currently the release scripts will be broken. Anyone with 
 access to the secrets on Travis who can put in new access 
 tokens?

 It used to be tokens by Basile who has quit GitHub before,

No this kind of stuff (CI, devop,...) were always managed by Seb. 
Eventually maybe the owner of the tokens would be HackerPilot ?

 so I replaced them with my personal access tokens which are now 
 compromised and can't be used anymore. For new access tokens I 
 can't find the access, but it would be nice if the dlang-bot's 
 access tokens could be used for this instead.

 See https://github.com/dlang-community/DCD/issues/634

BTW for the other folks who maybe are not sure what to do: the 
big problem was when your CI exposed secrets. If you dont expose 
secrets, like personnal access tokens, you migh have received an 
alarmous mail, like the one mentioned, but it does not mean that 
there's a problem.

The reason why you might got the email is that at the account 
level (personnal or organization)

1. you have defined one token.
2. one of the repo registered under this ID uses CodeCov.
3. by security they sent the mail.

And even if you have exposed the secret, it does not mean that it 
had a **Write Access**.

Basile B. <b2.temp gmx.com> writes:

On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:
 The reason why you might got the email is that at the account 
 level (personnal or organization)

 1. you have defined one token.
 2. one of the repo registered under this ID uses CodeCov.
 3. by security they sent the mail.

Lol forget this... this is BS. They cant know that, unless they 
have colaborated with GH and GL, it's different company.
So the reason why we got the second mail might be even more 
simple:

1. you use CodeCov

Basile B. <b2.temp gmx.com> writes:

On Wednesday, 5 May 2021 at 12:51:37 UTC, Basile B. wrote:
 On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:
 The reason why you might got the email is that at the account 
 level (personnal or organization)

 1. you have defined one token.
 2. one of the repo registered under this ID uses CodeCov.
 3. by security they sent the mail.

 Lol forget this... this is BS. They cant know that, unless they 
 have colaborated with GH and GL, it's different company.
 So the reason why we got the second mail might be even more 
 simple:

 1. you use CodeCov

The **write access** criterion is still valid however.

Basile B. <b2.temp gmx.com> writes:

On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:
 On Wednesday, 5 May 2021 at 12:26:52 UTC, WebFreak001 wrote:
 CodeCov was compromised and used in some dlang-community 
 repositories with the same GitHub access token for travis to 
 upload releases. GitHub sent me a mail that the access token 
 was potentially compromised and had suspicious behavior.

 I have disabled the GitHub access token that is used for 
 dlang-community releases, but it seems like I cannot access 
 the travis settings to manage secrets anymore. (or can't find 
 them)

 So currently the release scripts will be broken. Anyone with 
 access to the secrets on Travis who can put in new access 
 tokens?

 It used to be tokens by Basile who has quit GitHub before,

 No this kind of stuff (CI, devop,...) were always managed by 
 Seb. Eventually maybe the owner of the tokens would be 
 HackerPilot ?

I remember now. I've deleted the ones setup by Seb by error. Then 
automatic releases were broken. Then the ones I regenerated did 
not work because I missed some info to link to the release bot, 
probably only Seb could do that. So those tokens were not able to 
do anything anyway. You should test if the new ones are able to 
upload, let's say by pushing a tag somewhere.

You should find a trace of this, in the community discussion of 
dlang-community.

WebFreak001 <d.forum webfreak.org> writes:

On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:
 On Wednesday, 5 May 2021 at 12:26:52 UTC, WebFreak001 wrote:
 [...]

 No this kind of stuff (CI, devop,...) were always managed by 
 Seb. Eventually maybe the owner of the tokens would be 
 HackerPilot ?

oh right sorry, thought that was the case because they broke 
roughly around that time.

 [...]

 BTW for the other folks who maybe are not sure what to do: the 
 big problem was when your CI exposed secrets. If you dont 
 expose secrets, like personnal access tokens, you migh have 
 received an alarmous mail, like the one mentioned, but it does 
 not mean that there's a problem.

 The reason why you might got the email is that at the account 
 level (personnal or organization)

 1. you have defined one token.
 2. one of the repo registered under this ID uses CodeCov.
 3. by security they sent the mail.

 And even if you have exposed the secret, it does not mean that 
 it had a **Write Access**.

I think it was compromised because they sent me a mail that it 
had been used in "suspicious requests" along with information of 
the IPs that made the requests.

Basile B. <b2.temp gmx.com> writes:

On Wednesday, 5 May 2021 at 15:13:17 UTC, WebFreak001 wrote:
 On Wednesday, 5 May 2021 at 12:39:47 UTC, Basile B. wrote:
 On Wednesday, 5 May 2021 at 12:26:52 UTC, WebFreak001 wrote:
 [...]

 No this kind of stuff (CI, devop,...) were always managed by 
 Seb. Eventually maybe the owner of the tokens would be 
 HackerPilot ?

 oh right sorry, thought that was the case because they broke 
 roughly around that time.

 [...]

 BTW for the other folks who maybe are not sure what to do: the 
 big problem was when your CI exposed secrets. If you dont 
 expose secrets, like personnal access tokens, you migh have 
 received an alarmous mail, like the one mentioned, but it does 
 not mean that there's a problem.

 The reason why you might got the email is that at the account 
 level (personnal or organization)

 1. you have defined one token.
 2. one of the repo registered under this ID uses CodeCov.
 3. by security they sent the mail.

 And even if you have exposed the secret, it does not mean that 
 it had a **Write Access**.

 I think it was compromised because they sent me a mail that it 
 had been used in "suspicious requests" along with information 
 of the IPs that made the requests.

I did not get this one for my gitlab stuff. I got the first one 
like everyone. A second a few days ago, saying "you're 
compromised", but there was no details like an IP.

Anyway you should try to push a tag in one of the repo with the 
new token. There are chances that this will not work, as those 
you deleted did not either, as it did not way before the codecov 
security event.