Merge branch 'mc/docs/trigger-token-warning' into 'master'

Resolve "A lot of Trigger Token is Accessible from Internet because of the Documentation" Closes #52261 See merge request gitlab-org/gitlab-ce!25945

Merge branch 'mc/docs/trigger-token-warning' into 'master'
Resolve "A lot of Trigger Token is Accessible from Internet because of the Documentation" Closes #52261 See merge request gitlab-org/gitlab-ce!25945
3ad30037 · Evan Read · 54df7200 · 9756a6cc · 3ad30037
Commit 3ad30037 authored Mar 12, 2019 by Evan Read
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

doc/ci/triggers/README.md doc/ci/triggers/README.md +6 -3

No files found.
--- a/doc/ci/triggers/README.md
+++ b/doc/ci/triggers/README.md
@@ -17,6 +17,12 @@ The following methods of authentication are supported.
 A unique trigger token can be obtained when [adding a new trigger](#adding-a-new-trigger).
+DANGER: **Danger:**
+Passing plain text tokens in public projects is a security issue. Potential
+attackers can impersonate the user that exposed their trigger token publicly in
+their `.gitlab-ci.yml` file. Use [variables](../variables/README.md#variables)
+to protect trigger tokens.
 ## Adding a new trigger
 You can add a new trigger by going to your project's
@@ -53,9 +59,6 @@ The action is irreversible.
 >
 > - Valid refs are only the branches and tags. If you pass a commit SHA as a ref,
 >   it will not trigger a job.
-> - If your project is public, passing the token in plain text is probably not the
->   wisest idea, so you might want to use a
->   [variable](../variables/README.md#variables) for that purpose.
 To trigger a job you need to send a `POST` request to GitLab's API endpoint: