www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: npm credentials on jenkins
Date Wed, 26 Nov 2014 10:31:49 GMT
On Tue, Nov 25, 2014 at 4:48 PM, Steven Gill <stevengill97@gmail.com> wrote:
> Hey Everyone,
>
> So I need to add credentials to my workspace for uploading a nightly build
> to npm for cordova.
>
> The command I need to run is `npm login` or `npm addUser`. It would prompt
> me to add my username, password and email. I think I only need to do this
> once and it would be saved in my workspace, but I would like it to be able
> to work if I started a new workspace from scratch.
>
> How do I do this in a way that is secure? I don't want to write my
> credentials into my build step.
>
> I assume a similar problem would exist for pushing changes to git.
>


So - it depends.

We have this functionality for nexus, but only allow Jenkins to
publish 'snapshot' builds for developers, and (IIRC) those stay on the
ASF's Nexus implementation. We use a role account on Nexus for Jenkins
to publish those snapshots.

We don't allow the Jenkins role account to publish releases. This
doesn't mean that we wouldn't allow a role account setup on jenkins to
publish to NPM - but the specific issue is that anyone from any
project could at any time run a job that publishes an artifact to NPM.
(I don't think they have the concept of Snapshot builds, from my 30
seconds of reading.) I suspect that most people consume Cordova from
NPM rather than downloading source, which makes that something to
guard closely, rather than having a job that anyone with a jenkins
account could trigger.

And FTR, I don't think we would ever allow an automated system to
commit back to a project's source code tree without input from a
committer. (Obviously we have automated commits for things like
websites, etc, but again almost all of that is initiated by a
committer).

--David

Mime
View raw message