There is a plain text password in the github actions

[mbenabda]

Looks like there is a plain text password for publishing the pypi package in
https://github.com/google/openhtf/blob/master/.github/workflows/build_and_deploy.yml#L45

[mbenabda]

thank you @glados-verma and @dieppedalle for your quick reaction time on this !

I have a couple of questions though:

• has the secret been rotated, and published pypi packages been checked for tempering during this change ?
• can we trust that no published openhtf pypi package has been or could be tempered with with the published secret ?

Thank you !

[glados-verma]

Hi Mehdi - you can check from https://pypi.org/project/openhtf/#history that there's been no release since Oct 14 2019. I've confirmed with the token owner that they pushed this version.

The token has been replaced, and the old one will be revoked by early next week. After that, we'll push a new version to PyPi. At that point, you could try doing a diff vs the GitHub code to double check from your side that there's no surprising diff.