So, on "rotate your credentials", some of the things you'll need to do:<p>- Does your CI job query any system using a service account? Time to rotate that service account password. Hope it wasn't used by anything other than your CI system!<p>- Accessing systems using tokens instead of service accounts? Time to figure out how to invalidate those old tokens and gen a new one. (Also, time to find out if all the systems you use <i>can do that</i>)<p>- Using credentials as part of your build system, like downloading a for-pay plugin for a tool using a license key? Time to rotate those too.<p>- Time to rotate any license keys used at build-time.<p>- I hope you weren't using IAM users! If you weren't using instance profiles / task profiles, time to rotate those secret access keys. (some things you have to use IAM users for, like SES, iirc)<p>- Time to invalidate everything you built since they were first compromised, invalidate all your caches, and re-build all your artifacts from scratch.<p>- Time to see if you had any customer information / PII / PHI /etc accessible from your CI system.<p>- If you deploy from your CI system, it could be that <i>every</i> system is potentially compromised. In which case, get ready to re-deploy <i>everything</i> after you have flushed and re-built everything from above step.<p>- Start auditing, get PR to start drafting a sad letter to customers, and get someone to investigate how to reset customer passwords etc if needed.