On August 24, 2023, Grafana Labs disclosed a security incident involving the unintentional exposure of their GPG private key and passphrase used for signing packages, which occurred due to a misstep in their CI service's handling of obfuscating secrets. The key exposure was limited to a few internal logs and was quickly addressed by revoking the compromised certificate and issuing a new one. Although the risk of a practical attack was deemed limited, Grafana Labs implemented measures to further secure their CI pipelines by decoupling the signing process from package creation, ensuring the integrity and safety of their distributed packages. The incident was detected internally, and no third-party access or artifact discrepancies were found. A detailed post-incident review and timeline were shared to maintain transparency and emphasize Grafana's commitment to security.