| [cbi-dev] Security notice about projects hosted on GitHub and using codecov |
(cross-posted to cbi-dev) Dear committers, The codecov github app has recently issued a security notice https://about.codecov.io/security-update/. You can also read about it on Ars Technica https://arstechnica.com/gadgets/2021/04/backdoored-developer-tool-that-stole-credentials-escaped-notice-for-3-months/ If you host some code of your eclipse project at GitHub and use codecov in any CI environment (Jenkins, Github actions, Circle CI, ...), we ask you to carefully read the above security notice. The recommended action is re-roll all of your credentials, tokens, or keys located in the environment variables in your CI processes that used one of Codecov’s Bash Uploaders. If you have any doubt, questions or need assistance with this, feel free to either reach out to webmaster@xxxxxxxxxxx, releng-team@xxxxxxxxxxxxxxxxxxxxxx or open a ticket at https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=GitHub Thanks, Mikaël Mikaël Barbero Manager — Release Engineering and Technology | Eclipse Foundation 🐦 @mikbarbero Eclipse Foundation: The Platform for Open Innovation and Collaboration |
Attachment:
signature.asc
Description: Message signed with OpenPGP