git-changelog: Causing access token deletion in account

Great, thanks for letting me know 😃

I am sure this will work now, but I will let you know tomorrow from my end.

Yes, it’s almost done, will release later doday 😃

Thanks! I found this as well, really helpful: https://gist.github.com/magnetikonline/073afe7909ffdd6f10ef06a00bc3bc88

Yeah, I just doubled checked the combined one. And it still works.

Thanks! I found this as well, really helpful: https://gist.github.com/magnetikonline/073afe7909ffdd6f10ef06a00bc3bc88

Sure. git-changelog does not rely on platform specific Markdown parsing features, such as GitHub’s ability to transform a commit sha (aef8dae) into a full link to the commit, or an issue number (#18) into a full link to the issue. This is because I strive to keep the tool platform-agnostic, to avoid vendor lock in (“oops, my changelog renders correctly only on GitHub”). For example, it means that you can include your changelog in your built documentation and it renders correctly.

To render full links directly, git-changelog gets your configured Git remote (by running git config --get remote.origin.url) and use it to build links to your commits, issues and/or pull requests. It detects that your remote is on GitHub or GitLab so it knows how to build the URLs to issues, etc. This is why the URL appears in the generated changelog, with the token, triggering its deletion once you push.

Thanks for the explanation ❤️

(for the fix: I’ll probably remove the token@ part when token starts with ghp_. Can’t see a better solution )

GitHub new tokens stars with something else, please allow me a moment to check and post here.

Hahahaha OK that confirms it. Sorry about this mess! I’ll push a fix 🙂

Yeah got so many “Your GitHub access token has been found in IamLizu/wpdetect and revoked”.

HAHAHA, I screamed in terror a bit. And then I understood.

Here is the explanation:

• you clone with the token in the HTTPS URL
• it means the token appears in your configured Git remote
• git-changelog actually uses that remote to create links in the changelog it generates
• GitHub has automated security checks that will delete committed tokens
• so when you push your changelog, GitHub sees that you committed your token, and deletes it

You should have received some emails or alerts in your account about the token deletions 🙂

So, it’s not really git-changelog’s fault, but maybe we could do something about it, like remove any token from the remote before using it to generate links 🙂

Thanks a lot, will try now!

OK sorry but there’s 0 chance git-changelog can delete a token on GitHub. That’s just not possible. We don’t do any HTTP request, even less API calls to GitHub. The only things we run in a subprocess are git config and git log. We don’t use git commit or git push ourselves, we only write in a local file. Authentication is always done by the user and is irrelevant to git-changelog.

I’ll keep it open until you answer my two previous questions so I can try for myself, and then I’ll either:

• scream in terror seeing you were right (but still the issue probably comes from something else than git-changelog)
• close the issue

Hello, thanks for the report.

When I use the git-changelog package in a bash script which is responsible for bumping my own package version, creating a tag and then generating changelog. You can see the script here wpdetect/release-tag.sh. [blank lines] Sounds strange! I know.

I think your sentence is incomplete here?

Anyway, if I understand correctly, your token on GitHub itself gets deleted? That’s seems impossible to be caused by git-changelog haha, but I believe your investigation and will investigate as well 🙂

How do I set up authentication with the access token? What kind of permissions must I set on the token?