So if their GH API token with access to million plus repos was this easy to compromise, isn't it plausible that their token could have been used to clone clone said repos? Is it possible to audit the clone history of a token?
if you want to learn how CodeRabbit does the isolation, here's a blog post about how: https://cloud.google.com/blog/products/ai-machine-learning/h...
In case you don't want to read through the PR
Curious what this (isolation mechanism) means if anyone knows.
to be fair, does anyone ¯\_(ツ)_/¯