Skip to content

Don't accept CI secrets on CLI in SonatypeCentralPublishModule #5543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Don't accept CI secrets on CLI in SonatypeCentralPublishModule #5543

wants to merge 6 commits into from

Conversation

alexarchambault
Copy link
Collaborator

This PR makes SonatypeCentralPublishModule refuse credentials passed via --username and --password if it detects it's running on a CI. Using these arguments poses security issues: the Mill's prompt tries to print them back, like in

[4032/4037] =============== mill.scalalib.SonatypeC...N/lEdX9diiWxHsua8VLfDzw =============== 480s

(prompt obtained by running a command like ./mill -i mill.scalalib.SonatypeCentralPublishModule/ --username … --password …, containing parts of a now revoked token)

These secrets might be truncated in particular, which can make parts of these secrets slip through output secret detection.

alexarchambault and others added 5 commits July 15, 2025 17:46
@alexarchambault
Don't accept CI secrets on CLI in SonatypeCentralPublishModule
80c973f 
These secrets might leak with Mill's prompt, that tries to print back
the command arguments. These might be truncated in particular, which
can make parts of these secrets slip through output secret detection.
@alexarchambault
Fix MiMA
ab56040
@alexarchambault
Merge branch 'main' into sonatype-central-publish-ci-secrets
2b184cb 
 Conflicts:
	libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
@alexarchambault
fmt
9693ca0
@autofix-ci
[autofix.ci] apply automated fixes
b3ec055
@alexarchambault alexarchambault marked this pull request as ready for review July 15, 2025 20:07
@arturaz
Copy link
Collaborator

arturaz commented Jul 21, 2025

Perhaps we should make Mill support taking in mill.util.Secret[String] as the command argument, and that would prevent Mill from printing it out in any place?

@alexarchambault
Copy link
Collaborator Author

@arturaz Maybe at some point, yes. We need better secret management overall, some secrets might leak in serialized task results under out/ too. I think we should merge this in the mean time.

@alexarchambault
Merge branch 'main' into pr/sonatype-central-publish-ci-secrets
841cfe0 
 Conflicts:
	libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
lefou
lefou reviewed Aug 22, 2025
View reviewed changes
libs/javalib/src/mill/javalib/SonatypeCentralPublishModule.scala
Comment on lines +298 to +305
val isCI = Task.env.get("CI").nonEmpty
if (!force && isCI && (usernameParameterValue.nonEmpty || passwordParameterValue.nonEmpty))
sys.error(
"--username and --password options forbidden on CI. " +
"Their use might leak secrets. " +
s"Pass those values via environment variables instead ($USERNAME_ENV_VARIABLE_NAME and $PASSWORD_ENV_VARIABLE_NAME), or pass --force alongside them. " +
"You might want to check the output of this job for a leak of those secrets or parts of them."
)
Copy link
Member

@lefou lefou Aug 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we consider this unsafe, we might as well print the same message as warning in all other cases.

Also, instead of sys.error use Task.fail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lefou lefou lefou left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alexarchambault @arturaz @lefou