Description
I’m abusing this repo as a place to file an org-wide issue. We have four unicode-* code repos, and all of them currently have .travis.yml configured to build docs and push them to Github Pages with someone’s "personal access token".
This kind of setup is at risk of leaking access tokens, giving away push access to repositories: https://blog.travis-ci.com/2017-05-08-security-advisory. For these four repositories however, we correctly pass -q to git push so that the git URL (including the token) is not printed in the git logs. Therefore, to my knowledge, none of these tokens have been compromised.
Still, getting this right is subtle. And this setup is generally kinda fragile.
Since the time this was set up, docs.rs was created. It automatically builds and publishes docs for everything published to crates.io. For example: https://docs.rs/unicode-xid/0.1.0/unicode_xid/
@alexcrichton @huonw @Manishearth @kwantam, what do you think of removing the GitHub Pages setup (replacing with a redirect) and linking to docs.rs instead?
After that, github access tokens should be revoked. This kind of token is dangerous because they are associated not to a repository, but to a user. They give push access to every repository that this user has access to. Revoking them is tricky because it is not easy to find out what user a given token is for. According to git history (who added them), it looks like @alexcrichton has the token used in unicode-width, and @kwantam has the one used in unicode-normalization, unicode-segmentation, and unicode-xid.