github-actions[bot]
commented
9 months ago This issue has had no activity in 90 days. Please comment if it is not actually stale.
Closed davidcorrigan714 closed 9 months ago
github-actions[bot]
commented
9 months ago This issue has had no activity in 90 days. Please comment if it is not actually stale.
We've noticed the build logging and profiling tools that we use with our C# builds in Azure Pipelines tend to cache environment variables quite a bit and it's come up in threat reviews that we really should never be putting tokens in environment variables because of how often & easily they tend to be logged or persisted in build artifacts. Is there a way to use this and the NuGet Authentication task without the VSS_NUGET_EXTERNAL_FEED_ENDPOINTS environment variable? A file in the Agent.TempDirectory would seem to be better, preferably even encrypted until the tool is actually called in a similar vain to how the Azure Pipelines agent stores secret variables during runtime.