here's how it works (unfortunately, github does not allow secret named GITHUB_ , so I created secret "TOKEN" and assigned it to variable GITHUB_API_TOKEN)
I also added "env" to print all variables, you can value of GITHUB_API_TOKEN is masked. is it set to wrong value, so api call failed: https://github.com/chipitsine/haproxy/actions/runs/3759885064/jobs/6389967966 чт, 22 дек. 2022 г. в 23:28, Willy Tarreau <w...@1wt.eu>: > On Thu, Dec 22, 2022 at 06:20:26PM +0100, William Lallemand wrote: > > On Thu, Dec 22, 2022 at 06:12:46PM +0100, Willy Tarreau wrote: > > > On Thu, Dec 22, 2022 at 11:00:26PM +0600, ???? ??????? wrote: > > > > I'm not sure if it possible to issue organization based token (not a > > > > personal one). > > > > > > > > As for visibility, secrets are not visible for pull requests. > > > > > > My concern is not that they are in PR or any such thing, but they're > > > passed in HTTP requests and function arguments in python scripts. So > > > once we get a failure, if the failed request is dumped into the CI's > > > logs, or if the python interpreter emits a stack trace with all > > > arguments to the functions in the stack, the build logs will reveal > > > the secret. Maybe there's a way to be certain that the logs from the > > > python script are never dumped to publicly accessible logs, or to > > > redirect them to files only accessible to authorized people, and that > > > would be fine, but until this, I don't know what such guarantees we > > > have. This is my concern regarding the use of this token like this. > > > > > > Thanks, > > > Willy > > > > You need to be logged to see the logs of the CI, I don't know if it is > > only accessible to the people in the haproxy group or if it only need to > > be logged to github. > > OK. At least this is something we need to verify before proceeding. I > don't know if anyone has access to an account not part of the users > here. Or conversely maybe we can try to look for another project's > CI logs. > > Willy >
