From bba1f8ac03a7c8c0484beb9736ab6523b49015fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= <mail@3v1n0.net>
Date: Thu, 30 Oct 2025 03:12:29 +0100
Subject: [PATCH] ci: Use CI/CD file variable tokens for secrets

We were leaking some tokens in artifacts, those tokens have been
invalidated and re-generated, but starting from now let's use file
tokens instead
---
 .gitlab-ci.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a41c18af5..e2dd2e1d7 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -954,7 +954,7 @@ scan-build:
     - true && "${HOME}"/cov-analysis-linux64-*/bin/cov-build --dir cov-int meson compile -C _coverity_build
     - tar cfz cov-int.tar.gz cov-int
     - curl "https://scan.coverity.com/builds?project=${COVERITY_SCAN_PROJECT_NAME}"
-           --form token="${COVERITY_SCAN_TOKEN}" --form email="${GITLAB_USER_EMAIL}"
+           --form token="$(cat "${COVERITY_SCAN_TOKEN_FILE}")" --form email="${GITLAB_USER_EMAIL}"
            --form file=@cov-int.tar.gz --form version="${CI_COMMIT_SHA}"
            --form description="${CI_COMMIT_SHA} / ${CI_COMMIT_TITLE} / ${CI_COMMIT_REF_NAME}:${CI_PIPELINE_ID}"
   artifacts:
@@ -1016,7 +1016,10 @@ dist-job:
 issue-bot:
   stage: report
   image: registry.gitlab.com/gitlab-org/distribution/issue-bot:latest
-  script: /issue-bot
+  script:
+    - ISSUE_BOT_API_TOKEN=$(cat "${ISSUE_BOT_API_TOKEN_FILE}")
+    - export ISSUE_BOT_API_TOKEN
+    - /issue-bot
   rules:
     - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "schedule"
       when: on_failure