Are those your production codecov and nuget keys/tokens? If so, you'd better expire them since they are now public.
Have to admit, I was morbidly curious if anyone would say something about tokens that looked real.
Last time I used something obviously fake. Appveyor (and seemingly every other github et al CI/CD service) provides a way to encrypt sensitive strings like API keys. Not sure how secure it really is, so after I tried it out I changed the token. ;)
For codecov, it's actually the real report upload token. But for public projects such as this you can upload reports without it. Guess they figure there's not much harm that can come from people maliciously uploading fake reports. But that way it doesn't really matter if it gets commited to a public repository.
Cool. You seem like an experienced dev so I figured you knew better but we all make mistakes. Good post.
I'm certainly due for a mistake (assuming I haven't made one already).
Thanks for the comments.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.