Tell HN: Travis CI is seemingly compromised (once again)
Travis themselves have still not issued any notice or acknowledged this incident so it's worth letting the community know if they weren't already aware.
From memory, this will be the second breach in 2022 (https://blog.aquasec.com/travis-ci-security) in addition to last year's secret exposure (https://arstechnica.com/information-technology/2021/09/travi...)
---
A sampling of users on Twitter who have run into this issue:
https://twitter.com/peter_szilagyi/status/160059327410805555...
https://twitter.com/yaqwsx_cz/status/1600599797118996491
https://twitter.com/samonchain/status/1600611567606775808
https://twitter.com/dzarda_cz/status/1600613369408634886
https://twitter.com/samonchain/status/1600611567606775808
---
An example notice being sent out by Github (in lieu of Travis themselves taking any action):
> Hi {username}
> We're writing to let you know that we observed suspicious activity that suggests a threat actor used a Personal Access Token (PAT) associated with your account to access private repository metadata.
> Out of an abundance of caution, we reset your account password and revoked all of your Personal Access Tokens (classic), OAuth App tokens, and GitHub App tokens to protect your account, {username}.
55 comments
[ 4.7 ms ] story [ 106 ms ] threadThere does appear to be some solutions on the marketplace that will allow you to ssh into a runner, but I haven't had a need for them as of yet.
[1] https://github.com/nektos/act
https://www.youtube.com/watch?v=l9VuQZ4a5pc
https://twitter.com/alexellisuk/status/1577977820055310336
For private repos and work stuff, we are working on actuated, which comes with unmetered billing minutes because you BOY machines or cloud instances.
ARM builds show to be ~ 20-30x faster than using QEMU too.
https://docs.actuated.dev/
It was up on Hacker News recently, so you may have already seen it.
https://blog.alexellis.io/blazing-fast-ci-with-microvms/
I've honestly missed this on Github Actions, and hadn't (yet) found a simple enough workaround to bother.
Does it work regular (free) accounts, free organizations or other similar setups used by non-commercial open-source projects?
You can find a guide on getting an ARM64 instance in Oracle Cloud elsewhere.
Firing everyone that knows the platform works pretty well short term, otherwise the outsourcing industry wouldn't be so popular
It's just highly unlikely to be reversible at this point, so once issues pop up it's basically goodbye.
Things I've seen broken over the past week:
* Notification counts - this is replaced by an empty blue dot
* Media - text-only tweets and replies work fine, no profile pictures though
* Replies - root tweets load fine and show an error if you try to open replies. If you try again enough times they would usually load.
They just decide something's wrong with your account but don't tell user what, or why it was decided.
Don't send people on a goose chase because you're obscuring details for "security."
edit: ah no, only some
"Because that's where the money is" frequently works, even if the quote is apocryphal.
Migrating was tedious, not difficult. We went slow, took a while and needed little scaffolding
I played with a self-hosted instance a bit (we need to store all code on premises) and it looked like several interesting CI/CD options were marked as "only in Ultimate". Is it worth it?
I mean, it "just works" and has all these critical pieces tightly integrated. I'm hyped on it.
After they did organizational changes, and some other stuff, I noticed my builds were hardly running. Many never started, and ever more never completed.
Travis was causing more issues than it solved for my projects' Github PRs.
I'm honestly surprised to see people still using Travis now, a few years down the line.