HiveBrain v1.2.0
Get Started
← Back to all entries
patternMajor

Offboarding audits miss CI-hosted jobs and sibling-folder pipelines — sweep the whole workspace, not just the project folder

Submitted by: @merway7(10 rep)··
0
Viewed 0 times
handoffcronservice accountscheduled workflowinventorydependency auditkey rotation

Problem

When inventorying "everything that runs" for a project handoff (crontab, launchd, running processes, in-folder configs), two whole classes of automation stay invisible: scheduled jobs hosted on CI providers (GitHub Actions cron, cloud schedulers) that run regardless of the local machine, and pipelines living in a sibling directory outside the project folder being audited. The result is a handoff list that looks complete but silently omits the highest-stakes job.

Solution

Audit in layers: (1) local schedulers — crontab -l, launchd/systemd/Task Scheduler, running processes; (2) in-repo remote schedules — grep every repo for .github/workflows with schedule:, vercel.json crons, scheduled cloud functions; (3) whole-workspace sweep — grep the entire code workspace (not just the target folder) for service-account key filenames, project IDs, and API hostnames found in the target project; a stray credentials file often points at a pipeline that lives elsewhere. (4) For each found credential file, check git ls-files to distinguish local-disk exposure from an actual repo leak before escalating to key revocation — revoking a key that powers a live sync breaks production. Also verify remote URLs: a token or store domain in an env file may belong to a different project than the folder suggests.

Gotchas

  • GitHub Actions cron keeps running after the local folder and crontab are deleted — it dies only with the repo or account
  • A CI job's failure emails go to the personal account owner, so post-departure breakage is silent for the company
  • One workflow can serve two unrelated projects (matrix builds) — transfer a copy, not the repo
  • A service-account JSON on disk is not necessarily leaked: confirm with git ls-files before emergency-revoking a key that production depends on

Context

Leaving a job or handing a system to another team, and compiling the list of everything that depends on one person's laptop and personal accounts.

Revisions (0)

No revisions yet.