Possible leak of credential

[MalcolmMielle]

For my package adwaita, 'm hit by this error:

Publishing adwaita 0.0.4 to https://pub.dartlang.org:
|-- CHANGELOG.md
|-- LICENSE
|-- README.md
|-- analysis_options.yaml
|-- credentials.json
|-- example
|   |-- README.md
|   |-- lib
|   |   '-- main.dart
|   '-- pubspec.yaml
|-- images
|   |-- dark.png
|   '-- light.png
|-- lib
|   |-- adwaita.dart
|   '-- src
|       |-- theme.dart
|       '-- utils
|           '-- colors.dart
'-- pubspec.yaml
Downloading vector_math 2.1.1...
Downloading typed_data 1.3.0...
Downloading meta 1.7.0...
Downloading collection 1.15.0...
Downloading characters 1.2.0...
Package validation found the following errors:
* line 1, column 197 of credentials.json: Potential leak of Google OAuth Refresh Token detected.
    ╷
  1 │ ***
    │                                                                                                                                                                                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    ╵
* line 1, column 16 of credentials.json: Potential leak of Google OAuth Access Token detected.
    ╷
  1 │ ***
    │                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    ╵
  Add a git-ignore style pattern to `false_secrets` in `pubspec.yaml`

It seems as the actions tries to push my credentials with the package for some reason. I've added the credential as a secret and my yaml file is

name: Publish plugin

on:
  release:
    types: [published]

jobs:
  publish:

    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v1
      - name: Publish
        uses: sakebook/[email protected]
        with:
          credential: ${{ secrets.CREDENTIAL_JSON }}
          flutter_package: false
          skip_test: true
          dry_run: true

Which seems standard :/. What am I missing?

[sakebook]

@MalcolmMielle

I guess maybe your credential was expired.

Please try to update your credentials.

[MalcolmMielle]

I did a pub logout followed by pub login right before testing the action. Is that enough ?

[sakebook]

@MalcolmMielle

Your credentials are stored on GitHub. Please try to update the secret.

[MalcolmMielle]

This is what I did before having the problem:

• pub logout
• pub login
• Update secret on GitHub from the new credentials.

I seems to me that the problem is that the credential.json is somehow being upload to pub.dev?

[sakebook]

@MalcolmMielle

I see.

Please try to use v1.3.1?
I recently updated to v1.4.0. I want to isolate the problem.

[MalcolmMielle]

I will try that :)!

Thanks a lot for the help.

Edit: The workflow worked on v1.3.1. No credential.json was pushed on pub.dev

[BirjuVachhani]

Rolling back to v1.3.1 did not work for me.

[danielgomezrico]

I tried adding this line to .pubignore file:

credentials.json

And it works fine but I get another error:

Pub needs your authorization to upload packages on your behalf.

[gibahjoe]

HI, Any update on this?