Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Github has a feature to allow access to a singular repository via a key. It would be logical for CircleCI to use that feature, although I'm not sure they actually did.

https://help.github.com/articles/managing-deploy-keys#deploy...



I'm pretty sure that Circle uses the oAuth api to checkout repos, the deploy key part on github they use for their deployment feature.

If the attacker has a bunch of tokens, could they have bulk downloaded source code before the oAuth stuff was revoked by Circle?

https://github.com/blog/1270-easier-builds-and-deployments-u...


They did not.


They did, Circle-CI client here.

Info have a Circle-CI deploy key per private repository (which I will revoke).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: