On Fri, 16 Apr 2021 at 20:15, Glyph <glyph@twistedmatrix.com> wrote:

On Apr 16, 2021, at 11:26 AM, Adi Roiban <adi@roiban.ro> wrote:

For twisted/twisted and I think that other repos the main secret available for GitHub Action is the PYPY upload token.

Just to make sure here - you mean PyPI, right?

Yes. Sorry. PyPi.org.

I guess that what we can do is stop using the codecov.io bash uploaded and
switch back to python uploader.

Any other ideas ?

I think we are actually OK given the constraints on the env vars, but just to be safe, we should invalidate / rotate the PyPI upload token. Any admins have a few spare minutes to do that? (And like… check to make sure nobody uploaded anything surprising on our project page ;-)).

I don't have access to Twisted or ldaptor or other projects.

I only have access to pydoctor, and I saw that someone from NL (most probably Marteen :) has already rotated the token.

https://pypi.org/project/Twisted/#history looks ok. Last release l21.2.0 - Feb 28, 2021

Cheers

Adi Roiban