Hello.
Based on our testing, github repos formerly setup in circle, which are then deactivated (“stop building”), but then re-setup later retain their environment variable values. For any org that has been using circle for a long time, there are likely many compromised secrets contained “invisibly” in deactivated projects. In the case of shared or long-lived secrets, its quite possible that those secrets are still usable.
I think CircleCI needs to spell this out explicitly as I don’t think it’s been clear in the public statements to date.
Would it be possible for Support to produce a list of formerly-active projects within an account? (From the UI, it seems projects never setup or projects formerly setup are indistinguishable.)
Thanks for your efforts on this.