From a6a45be07dcd2babca2d407de6ffdb69f6378d01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Bay=C3=B3n?= Date: Wed, 1 Jul 2026 10:01:59 -0400 Subject: [PATCH 1/2] fix: harden unity-cli credential examples (Snyk W007) Remove runnable command examples that place secrets on the command line, while keeping the real flags documented: - CI auth "Equivalent to" now uses --secret-from-stdin, not --client-secret - Drop the copy-pasteable --client-secret command (kept as a labelled anti-pattern note pointing to stdin / env-var auth) - Replace the http://user:secret@host proxy example with prose that points to the OS keyring lookup - Strengthen the Android keystore warning to require CI secret env vars (e.g. "$KEYSTORE_PASSWORD"), never inline literals The secure alternatives (--secret-from-stdin, --git-token-stdin, UNITY_SERVICE_ACCOUNT_* env vars) were already the documented defaults; this removes the insecure demonstrations the audit flagged. Co-Authored-By: Claude Opus 4.8 (1M context) --- skills/unity-cli/SKILL.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/skills/unity-cli/SKILL.md b/skills/unity-cli/SKILL.md index 9ed43ed..e5a9a92 100644 --- a/skills/unity-cli/SKILL.md +++ b/skills/unity-cli/SKILL.md @@ -85,7 +85,7 @@ All CLI env vars use the `UNITY_` prefix. A CLI flag always overrides the corres | `UNITY_PROXY` | `--proxy` | HTTP/HTTPS/SOCKS/PAC proxy URL. Takes precedence over `HTTPS_PROXY`/`HTTP_PROXY`/`ALL_PROXY` and the persisted `proxy.json` setting. | | `UNITY_NO_UPDATE_CHECK` | — | Disable the background "update available" check (see `unity config update-check`). | -**CI service account auth:** Set both `UNITY_SERVICE_ACCOUNT_ID` and `UNITY_SERVICE_ACCOUNT_SECRET` to skip the browser OAuth flow. Equivalent to `unity auth login --client-id --client-secret `. +**CI service account auth:** Set both `UNITY_SERVICE_ACCOUNT_ID` and `UNITY_SERVICE_ACCOUNT_SECRET` to skip the browser OAuth flow — this keeps the secret out of the process argument list and shell history. Equivalent to `unity auth login --client-id --secret-from-stdin`. ## Getting help @@ -129,8 +129,10 @@ unity auth login # Preferred: read secret from stdin to avoid shell-history and process-list exposure unity auth login --client-id --secret-from-stdin -# Alternative: pass secret directly (visible in shell history and process list) -unity auth login --client-id --client-secret +# A --client-secret flag also exists, but passing a secret as a +# command-line argument exposes it in shell history and the process list. +# Avoid it — use --secret-from-stdin (above) or the +# UNITY_SERVICE_ACCOUNT_ID / UNITY_SERVICE_ACCOUNT_SECRET env vars instead. # Login without persisting credentials to the keyring (ephemeral CI) unity auth login --client-id --secret-from-stdin --no-store @@ -792,8 +794,9 @@ unity config proxy --json # Persist a proxy URL unity config proxy http://proxy.example.com:8080 -# Persist with embedded credentials (userinfo is redacted in echo output) -unity config proxy http://user:secret@proxy.example.com:8080 +# Embedded userinfo (user:password@host) is supported and redacted in echo +# output, but prefer leaving credentials out of the URL — the CLI looks them +# up in the OS keyring instead (see Resolution priority below). # Persist with bypass list (hosts that should NOT go through the proxy) unity config proxy http://proxy.example.com:8080 --bypass "localhost,127.0.0.1,*.internal" @@ -978,7 +981,7 @@ unity build /path/to/MyProject \ | `--android-symbol-type ` | `none`, `public`, or `debugging`. | | `--android-version-code ` | Android version code. | -Keystore flags are validated together. The CLI warns that secrets passed this way can surface in shell history and CI logs — prefer CI secret stores. +Keystore flags are validated together. Secrets passed as command-line flags surface in shell history and CI logs — supply `--android-keystore-base64`, `--android-keystore-password`, and `--android-key-alias-password` from CI secret environment variables (e.g. `--android-keystore-password "$KEYSTORE_PASSWORD"`), never as inline literals, and prefer a dedicated CI secret store over plaintext. **Versioning** — `semantic` and `tag` derive the version from git tags/history; `custom` requires an explicit `--build-version`; a dirty working tree is rejected unless `--allow-dirty-build` is passed. From e736720d54b59d0cbcfb375c2a53052784b78432 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Bay=C3=B3n?= Date: Thu, 2 Jul 2026 10:27:56 -0400 Subject: [PATCH 2/2] docs: address Copilot review on unity-cli credential examples - Drop misleading "Equivalent to" claim for CI env-var auth; clarify it maps to auth login flags but isn't a full login (no keyring persist) - Reference --client-secret flag without the copy-pasteable placeholder - Clarify keystore env vars avoid hard-coding literals but the expanded value still appears in argv; mask in CI logs Co-Authored-By: Claude Opus 4.8 (1M context) --- skills/unity-cli/SKILL.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/skills/unity-cli/SKILL.md b/skills/unity-cli/SKILL.md index e5a9a92..fc37dd8 100644 --- a/skills/unity-cli/SKILL.md +++ b/skills/unity-cli/SKILL.md @@ -85,7 +85,7 @@ All CLI env vars use the `UNITY_` prefix. A CLI flag always overrides the corres | `UNITY_PROXY` | `--proxy` | HTTP/HTTPS/SOCKS/PAC proxy URL. Takes precedence over `HTTPS_PROXY`/`HTTP_PROXY`/`ALL_PROXY` and the persisted `proxy.json` setting. | | `UNITY_NO_UPDATE_CHECK` | — | Disable the background "update available" check (see `unity config update-check`). | -**CI service account auth:** Set both `UNITY_SERVICE_ACCOUNT_ID` and `UNITY_SERVICE_ACCOUNT_SECRET` to skip the browser OAuth flow — this keeps the secret out of the process argument list and shell history. Equivalent to `unity auth login --client-id --secret-from-stdin`. +**CI service account auth:** Set both `UNITY_SERVICE_ACCOUNT_ID` and `UNITY_SERVICE_ACCOUNT_SECRET` to skip the browser OAuth flow — this keeps the secret out of the process argument list and shell history. These map to the `--client-id` / `--secret-from-stdin` inputs of `unity auth login`, but reading the credentials from the environment isn't a full login: it doesn't run the interactive flow or persist credentials to the keyring. ## Getting help @@ -129,7 +129,7 @@ unity auth login # Preferred: read secret from stdin to avoid shell-history and process-list exposure unity auth login --client-id --secret-from-stdin -# A --client-secret flag also exists, but passing a secret as a +# A --client-secret flag also exists, but passing a secret as a # command-line argument exposes it in shell history and the process list. # Avoid it — use --secret-from-stdin (above) or the # UNITY_SERVICE_ACCOUNT_ID / UNITY_SERVICE_ACCOUNT_SECRET env vars instead. @@ -981,7 +981,7 @@ unity build /path/to/MyProject \ | `--android-symbol-type ` | `none`, `public`, or `debugging`. | | `--android-version-code ` | Android version code. | -Keystore flags are validated together. Secrets passed as command-line flags surface in shell history and CI logs — supply `--android-keystore-base64`, `--android-keystore-password`, and `--android-key-alias-password` from CI secret environment variables (e.g. `--android-keystore-password "$KEYSTORE_PASSWORD"`), never as inline literals, and prefer a dedicated CI secret store over plaintext. +Keystore flags are validated together. Secrets passed as command-line flags surface in the process list and can be echoed into CI logs. Supply `--android-keystore-base64`, `--android-keystore-password`, and `--android-key-alias-password` from CI secret environment variables (e.g. `--android-keystore-password "$KEYSTORE_PASSWORD"`), never as inline literals, and source those variables from a dedicated CI secret store. Note that sourcing from an env var only avoids hard-coding the literal — the expanded value still appears in `argv`, so also mask it in CI log output. **Versioning** — `semantic` and `tag` derive the version from git tags/history; `custom` requires an explicit `--build-version`; a dirty working tree is rejected unless `--allow-dirty-build` is passed.