Commit 3ad30037 authored by Evan Read's avatar Evan Read

Merge branch 'mc/docs/trigger-token-warning' into 'master'

Resolve "A lot of Trigger Token is Accessible from Internet because of the Documentation"

Closes #52261

See merge request gitlab-org/gitlab-ce!25945
parents 54df7200 9756a6cc
...@@ -17,6 +17,12 @@ The following methods of authentication are supported. ...@@ -17,6 +17,12 @@ The following methods of authentication are supported.
A unique trigger token can be obtained when [adding a new trigger](#adding-a-new-trigger). A unique trigger token can be obtained when [adding a new trigger](#adding-a-new-trigger).
DANGER: **Danger:**
Passing plain text tokens in public projects is a security issue. Potential
attackers can impersonate the user that exposed their trigger token publicly in
their `.gitlab-ci.yml` file. Use [variables](../variables/README.md#variables)
to protect trigger tokens.
## Adding a new trigger ## Adding a new trigger
You can add a new trigger by going to your project's You can add a new trigger by going to your project's
...@@ -53,9 +59,6 @@ The action is irreversible. ...@@ -53,9 +59,6 @@ The action is irreversible.
> >
> - Valid refs are only the branches and tags. If you pass a commit SHA as a ref, > - Valid refs are only the branches and tags. If you pass a commit SHA as a ref,
> it will not trigger a job. > it will not trigger a job.
> - If your project is public, passing the token in plain text is probably not the
> wisest idea, so you might want to use a
> [variable](../variables/README.md#variables) for that purpose.
To trigger a job you need to send a `POST` request to GitLab's API endpoint: To trigger a job you need to send a `POST` request to GitLab's API endpoint:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment