[Security Issue] Secret Detected in Repository

[MrJackQiao]

Hi,

We are a team of security researchers from the University of Delaware in the United States. We are reaching out to notify you that one of the files in the repository contains secrets in plain text. It is crucial that the secrets are set up properly to safeguard the integrity and security of your system and its users.

Please reach out to [email protected] for more information.

Best regards,
UD X-Lab

[GabLeRoux]

Hi,
Thank you for bringing this to our attention. I’ve sent an email to follow up on this issue. We appreciate your responsible disclosure.

[webbertakken]

Fixed in #40.

To be fair though: CodeCov didn't use to have the "tokenless" option when this was implemented and you had two options:

• Either you paste the token in your workflow so that the diff correctly shows up for all contributors
• Or you use it as a secret, which means that nobody outside the org will get coverage diffs in their PRs, as per the secrets not being passed to workflows running on forks

In practice this was a trade-off and we never considered it to be a real security concern.

I'd also kindly ask you to follow security policy or email maintainers directly instead of immediately publicly exposing security related information (i.e. that there is a secret to find in the repo). We might not always be quicker to respond than people with bots that scrape GitHub for the word "security issue". 😄