2024-05-24 Accidentally exposing github PAT

The accidental inclusion of a Github Personal Access Token in an example bash script while making an comment on an public GitHub discussion allowed GH API access to anyone on public internet for a short period of time.

No impact was observed.

Audit logs shows no suspicious activity.

Potential impact would include some can get access to our source code.

• ~14:40 An initial comment is made (with sanitized version).

• In the next 10 minutes two subsequent edits where made to the comment (improvements on the code snippet), out of which the last was not sanitized.

• 14:50 GitHub discovered that PAT was included in a public comment and revoked PAT immediately.

1. An engineer was working on automating development environment setup and was experimenting with some API calls. While searching for a solution, came across a public discussion when others were working on similar solution. After sketching out a working solution, wanted to contribute to the community and share the example code. However, accidentally pasted the un-sanitized version into the comment section.

1. Always issues PAT with the smallest scope possible (exposed PAT was limited, yet way more permissive than necessary),

2. Always double check before hitting submit button, that actual code snippet is sanitized.