I also think the CI service, which GitHub doesn't provide, is a higher-risk environment for this kind of thing. GitHub settings pages don't production deploy keys.
(I have no relationship with Github other than that I am a customer and have watched them steadily hire some of the best people I know in the industry).
Excuse me, is there any article about this, or maybe some pointer where one could get a GA script that doesn't need `script-src data:` (or eval or similar insanity) in the CSP?
I've tried to add CSP for a page that has GA (no other external deps) and it seemed to deliver some scripts from base64-encoded data URI. I haven't researched what exactly it does, but suppose it was the unpacker inserting code that way, instead of using eval. Could be wrong, though, but the only external JS reference was analytics.js, and when testing in Firefox 57 CSP had complained about script with a data URI.
Since you're asking though, here's one thing you can do better: Stop spamming HN with your irrelevant nonsense.
The person that I responded to said something about GitLab so I told them how I felt about their comment and their product. I would've said the same thing in person.
Nearly everyone on HN has heard of GitLab. They don't need the astroturfing or spamming you are accusing them of.
No because then the comment would be on-topic.
> GitLab is not some random company spamming their crap.
Yes they are.
> Nearly everyone on HN has heard of GitLab.
Because of the spamming.
I know Gitlab is HN's darling but to me it's not reasonable to plug your service every time a competing service is mentioned.
You can not opportunistically spam nearly every thread where GitLab might be tangentially related.
I don't use GitLab largely because of the way you post on HN, though the software seems reasonably well-written. It's very frustrating.
It's informative, not "gitlab doesn't suffer from this, here's a 10% off coupon https://gitlab.com!!".
More generally, however, you're right although I have just come to accept that this is how things are on HN. Choose pretty much any "Show HN" thread or any thread about some cool new app/product/service and in the thread you'll find a few "shameless plug" comments that would be considered spam in any other forum: "Hey, we also make an app that does $foo, sign up for our beta at example.com and check us out!".
(One of the worst "offenders" is Userify. Pick any thread that relates tangentially to user authentication and chances are good you'll find a comment from them that manages to work their name/URL into the conversation somehow.)
> To be clear, letting third party JS run in a trusted environment like a dashboard is an industry wide problem. If we assume CircleCI is the only bad actor we're kind of missing the point of the exercise.