From abbbb4d52c01dbc255ddd4607dc4bf14b952fa41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mi=C5=A1ko=20Hevery?= <misko@hevery.com>
Date: Mon, 13 Mar 2017 14:43:52 -0700
Subject: [PATCH] ci: do not use shell to expand secure tokens to prevent leaks

---
 scripts/ci/publish-build-artifacts.sh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/scripts/ci/publish-build-artifacts.sh b/scripts/ci/publish-build-artifacts.sh
index 79b79f2153..8c82adcc4e 100755
--- a/scripts/ci/publish-build-artifacts.sh
+++ b/scripts/ci/publish-build-artifacts.sh
@@ -75,11 +75,10 @@ function publishRepo {
     done
 
     (
-      # SECURITY CRITICAL: DO NOT remove the set -x on the following line. Removing it will leak the github credentials to the travis log.
-      set -x
       cd $REPO_DIR && \
       git config credential.helper "store --file=.git/credentials" && \
-      echo "https://${GITHUB_TOKEN_ANGULAR}:@github.com" > .git/credentials
+      # SECURITY CRITICAL: DO NOT use shell to expand vars since it could be logged and leaked.
+      node -e "console.log('https://'+process.env.GITHUB_TOKEN_ANGULAR+':github.com')" > .git/credentials
     )
   fi
   echo `date` > $REPO_DIR/BUILD_INFO