Process regarding worrying emails sent to the maintainers mailing list

[maelvls]

On 6 Sept 2025, we received the following email:

From: 'GitHub' via cert-manager-maintainers <cert-manager-maintainers@googlegroups.com>
Date: Saturday, 6 September 2025 at 15:48
To: cert-manager-bot <cert-manager-maintainers+githubbot@googlegroups.com>
Subject: [GitHub] A personal access token (classic) has been added to your account

Hey cert-manager-bot!

A personal access token (classic) "snyk" with admin:repo_hook, read:org, and repo 
scopes was recently added to your account. Visit ... for more information. To see
this and other security events for your account, visit ... If you run into problems,
please contact support by visiting ...

Thanks,
The GitHub Team

That was me. I was evaluating Snyk (CNCF offers it for free) but realized we already do dependency scanning with Renovate as well as container image scanning with Trivy. And Snyk doesn’t help with the process of creating and publishing advisories, which is what I was looking for originally. I’ve revoked the GitHub PAT since we won’t be using Snyk for now.

​Regarding worrying emails to this mailing list, we have had a couple of these kinds of worrying emails in the past, and I propose the following process for the next time it happens:

• Whoever notices this type of worrying email should report it to the cert-manager-dev channel with @ all maintainers mentioned.
• ​The person who did it (me in this case) should put a message on that same channel + send an email responding to the mailing list email.

I don't know where to document that, so I'll just document it here.

Thoughts? @cert-manager/milestone-maintainers

[erikgb]

Sounds like a good process. We should at least act on such notifications. Do we ever need to issue PATs after Octo STS was introduced?

[maelvls]

No, I don't think we will need to create PATs in the future now that we have Octo STS