Hey everyone,
today, we have a slightly different kind of security related post to write. There’s a cookbook article about using an FTP Github action to deploy your site. Git-based FTP-deploys | Kirby CMS
The article mentioned a setup in the past, where credentials were directly added to the yaml file of the action. This is of course very insecure if you are working with a public repo. Even for a private repo, this is definitely not recommended at all. You should always use Github’s secrets settings for this instead.
We missed this when reviewing the initial version and just published an update. If you ever followed that post or got inspired by it, please review your own setup again and make sure that you handle your credentials in a safe way. If your credentials were exposed, make sure to change them immediately.