Security issue: on git Authentication failed git push will reveal GH_TOKEN

[elmariofredo]

This happen to me on my testing repo https://github.com/elmariofredo/test-lerna-semantic-release in build https://travis-ci.org/elmariofredo/test-lerna-semantic-release/builds/211706561 where for some strange reason Travis forgot to add RELEASE_GH_USERNAME to env from settings. It was there build before so it seems like travis issue.

Here you can see log of revealed security token(don't worry this one is no longer valid ;)):

info:    Executing pushCommits in root
info:    + git push origin
remote: Anonymous access to elmariofredo/test-lerna-semantic-release.git denied.
fatal: Authentication failed for 'https://:f5f5de7d72c4f8c4558a258103978d77b2a1bfc2@github.com/elmariofredo/test-lerna-semantic-release.git/'
info:    ret > 128
info:    err >  remote: Anonymous access to elmariofredo/test-lerna-semantic-release.git denied.
fatal: Authentication failed for 'https://:f5f5de7d72c4f8c4558a258103978d77b2a1bfc2@github.com/elmariofredo/test-lerna-semantic-release.git/'

I think that we should suppress detailed error messages in sensitive commands like git here https://github.com/atlassian/lerna-semantic-release/blob/caribou/packages/lerna-semantic-release-io/io/git.js

[elmariofredo]

sorry closing this I didn't properly check your CI setup where you are setting remote address without credentials. my bad

[jpnelson]

It's certainly a gotcha that's worth calling out somewhere, thanks for the feedback :)