monitor.gitlab.net exposes private information
Earlier today I migrated the first dashboard from InfluxDB to Prometheus (https://performance.gitlab.net/dashboard/db/prometheus-events?orgId=1). This dashboard has the tag "prometheus", and as such as mirrored on monitor.gitlab.net (https://monitor.gitlab.net/dashboard/db/prometheus-events?orgId=1).
This dashboard shows a table with project names and the number of CI builds, including private projects. Even without this dashboard, one could still get this data as the Prometheus instance is publicly available. I'm not sure if one can directly run queries on Prometheus, but they are still able to do so via Grafana (e.g. https://monitor.gitlab.net/api/datasources/proxy/2/api/v1/query_range?query=sum(increase(gitlab_transaction_event_push_branch_total%7Benvironment%20%3D%20%22prd%22%7D%5B1h%5D))&start=1529280000&end=1529344584&step=3600).
I suspect owners of private repositories will not be happy with this. Worse, we may (unintentionally) expose more (important) private data in the future, because of how monitor.gitlab.net accesses its data.