Open Byron opened 6 days ago
I declare it ready for review despite the Frontend-based CI failures. @mtsgrd offered help in turning the naive current implementation into something maintainable much faster and better than I could do it. Thus, I will stop force-pushing here and will at most push fixes on top if @krlvi finds issues during testing.
Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
@Byron thanks, I've pushed a commit splitting out a separate service for the secrets. Could you have a look and make sure things still work as expected?
Remove plain-text secrets from various configuration files and put them into the keystore instead.
This is a similar move as the one done by the
gh
command-line tool recently, which now also stores its secrets (like the GitHub authentication token) in the keystore.Tasks
Sensitive
fields won't be serialized (but they need to be deserialized for migration)Platform Notes
On MacOS - Dev Mode
gh
doesn't have this problem, as it appears to use the Git credential helpers (which are stable, binary-wise).gitoxide
it finds git executables more thoroughly, enabling credentials to be used. I think the custom keychain should be the level-2 store, with git-credentials being the one tried first.On MacOS - Nightly Build
On Windows
whatever secret-store Windows hasthe Credential Manager. I.e. it can remove the secret from the plain file, access it from the secret store, and delete it from the secret store once the user is signed out.On Ubuntu 22.04
https://auth.gitbutler.com/login/callback?error=redirect_uri_mismatch&error_description=The+redirect_uri+MUST+match+the+registered+callback+URL+for+this+application.&error_uri=https%3A%2F%2Fdocs.github.com%2Fapps%2Fmanaging-oauth-apps%2Ftroubleshooting-authorization-request-errors%2F%23redirect-uri-mismatch&state=IqB-c-28IA0egwI-dqs39UEY_7ZpZ0Zn
Notes for the Reviewer
SecretService
with respective mock-tests using that. However, this is probably what should be created at some point once more secrets are used.