[Klathmon]

They do this for all of their own API keys already. They not only notify you but instantly invalidate a key pushed to a public repo.

Annoyingly there is no way to turn it off even when you explicitly want to share an API key knowingly. But i'm more than fine with needing to "obfuscate" an API key or manage secrets correctly knowing it saves TONS of people.

[chimeracoder]

Why would you ever want to share a valid Github API key publicly?

[Klathmon]

It's been a while, but IIRC it was a key with no permissions used on a CI server to get around github's API usage limits.

It probably wasn't the best idea, but it was the only "secret" needed in the whole project and I didn't want to maintain a way of managing secrets in a public project for a pointless key.

In the end I did just that, and looking back it was the better choice, but at the time it was annoying.

[Cyphase]

"... used ... to get around github's API usage limits."

I wonder why they'd want to invalidate that. :)

[remmelt]

Continuous development, e.g. Jenkins? (Please don’t do this)

[jayshua]

Why not?

[arjie]

Out of curiosity, why not a deploy user? https://developer.github.com/guides/managing-deploy-keys/

[TeMPOraL]

Split it to parts and concatenate it, then?

$key = "BAAD" + "F00D" + "CAFE" + "BABE";

[Ajedi32]

> But i'm more than fine with needing to "obfuscate" an API key or manage secrets correctly