DEV Community

Discussion on: A Potpourri of .Net Core CI/CD (Lite)

Collapse
 
justinjstark profile image
Justin J Stark

Are those your production codecov and nuget keys/tokens? If so, you'd better expire them since they are now public.

Collapse
 
jeikabu profile image
jeikabu • Edited

Have to admit, I was morbidly curious if anyone would say something about tokens that looked real.

Last time I used something obviously fake. Appveyor (and seemingly every other github et al CI/CD service) provides a way to encrypt sensitive strings like API keys. Not sure how secure it really is, so after I tried it out I changed the token. ;)

For codecov, it's actually the real report upload token. But for public projects such as this you can upload reports without it. Guess they figure there's not much harm that can come from people maliciously uploading fake reports. But that way it doesn't really matter if it gets commited to a public repository.

Collapse
 
justinjstark profile image
Justin J Stark

Cool. You seem like an experienced dev so I figured you knew better but we all make mistakes. Good post.

Thread Thread
 
jeikabu profile image
jeikabu

I'm certainly due for a mistake (assuming I haven't made one already).
Thanks for the comments.