Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 9.0.0-rc0
Affects Version/s: None
Component/s: Testing Infrastructure
Labels:
None

Assigned Teams:

DevProd Test Infrastructure
Backwards Compatibility:
Fully Compatible
Sprint:
DevProd Test Infra 2026-05-05
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Summary

The evergreen_api_credentials_configure.sh script writes .evergreen.yml which contains evergreen_api_key directly into the src directory in the current git repo. Any workflow that runs git add could pick up this file and expose it if pushed.

This happened while creating a PR automation bot (SERVER-122442) and resulted in a security incident (INFOSEC-100600).

# evergreen/functions/evergreen_api_credentials_configure.sh
cd src
cat >.evergreen.yml <<END_OF_CREDS
api_server_host: https://evergreen.mongodb.com/api
api_key: "${evergreen_api_key}"
user: "${evergreen_api_user}"
END_OF_CREDS

Assignee:: Sean Lyons
Reporter:: Andrew Wang
Participants:: Andrew Wang, Githook User, Sean Lyons
Votes:: 0 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: Apr 10 2026 07:07:14 PM UTC
Updated:: Apr 15 2026 05:53:51 PM UTC
Resolved:: Apr 15 2026 05:53:51 PM UTC

Details

Description

Summary

Attachments

Activity

People

Dates