From 213f4a5333c21020da030012979bd326a34fb28c Mon Sep 17 00:00:00 2001 From: Colin Arnott Date: Tue, 18 Feb 2020 08:00:18 +0000 Subject: [PATCH 1/3] context: use the real oauth credentials It is trivial to extract this information from the released artefacts, thus there is no security benefit to the safe/development credentials. This approach also prevents users from using go-get to install. As proof of concept, and to enable go-get, this change embeds the GitHub CLI credentials, instead of GitHub CLI (dev). --- context/config_setup.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/context/config_setup.go b/context/config_setup.go index 4d91a4c62..4236a81d9 100644 --- a/context/config_setup.go +++ b/context/config_setup.go @@ -18,10 +18,8 @@ const ( ) var ( - // The GitHub app that is meant for development - oauthClientID = "4d747ba5675d5d66553f" - // This value is safe to be embedded in version control - oauthClientSecret = "d4fee7b3f9c2ef4284a5ca7be0ee200cf15b6f8d" + oauthClientID = "178c6fc778ccc68e1d6a" + oauthClientSecret = "34ddeff2b558a23d38fba8a6de74f086ede1cc0b" ) // TODO: have a conversation about whether this belongs in the "context" package From 72bde685b06271e5bc4288ea034c91207d4d901f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mislav=20Marohni=C4=87?= Date: Tue, 18 Feb 2020 19:22:01 +0100 Subject: [PATCH 2/3] Add back comments explaining OAuth app credentials --- context/config_setup.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/context/config_setup.go b/context/config_setup.go index 4236a81d9..6cb8ddb6c 100644 --- a/context/config_setup.go +++ b/context/config_setup.go @@ -18,7 +18,9 @@ const ( ) var ( - oauthClientID = "178c6fc778ccc68e1d6a" + // The "GitHub CLI" OAuth app + oauthClientID = "178c6fc778ccc68e1d6a" + // This value is safe to be embedded in version control oauthClientSecret = "34ddeff2b558a23d38fba8a6de74f086ede1cc0b" ) From c32bcee4bb4216ad3c749d314e93add6b5863c2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mislav=20Marohni=C4=87?= Date: Tue, 18 Feb 2020 19:23:37 +0100 Subject: [PATCH 3/3] No need to configure production OAuth app on release anymore --- .github/workflows/releases.yml | 2 -- .goreleaser.yml | 2 -- 2 files changed, 4 deletions(-) diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index e8a3c0143..f241dc1d9 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -25,8 +25,6 @@ jobs: version: latest args: release --release-notes=CHANGELOG.md env: - GH_OAUTH_CLIENT_ID: 178c6fc778ccc68e1d6a - GH_OAUTH_CLIENT_SECRET: ${{secrets.OAUTH_CLIENT_SECRET}} GITHUB_TOKEN: ${{secrets.UPLOAD_GITHUB_TOKEN}} msi: needs: goreleaser diff --git a/.goreleaser.yml b/.goreleaser.yml index 1eb611313..619180def 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -13,8 +13,6 @@ builds: main: ./cmd/gh ldflags: - -s -w -X github.com/cli/cli/command.Version={{.Version}} -X github.com/cli/cli/command.BuildDate={{time "2006-01-02"}} - - -X github.com/cli/cli/context.oauthClientID={{.Env.GH_OAUTH_CLIENT_ID}} - - -X github.com/cli/cli/context.oauthClientSecret={{.Env.GH_OAUTH_CLIENT_SECRET}} - -X main.updaterEnabled=cli/cli id: macos goos: [darwin]