www-builds mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steven Gill <stevengil...@gmail.com>
Subject Re: npm credentials on jenkins
Date Wed, 26 Nov 2014 19:04:27 GMT
Thanks for responding David!

Just to clarify, we don't consider nightlys releases. They are just
snapshots and are published under the nightly tag to npm. You need to be
explicit if you want to download it. It is only meant for testing. `npm
install cordova@nightly`.

I have set the build to run once daily. If it does get triggered by a user,
it isn't a big deal. The version that gets published to npm under nightly
has the date in it. If the script was run twice on the same day, it would
just fail to publish because the version has already been published.

Do we have any documentation on a role accounts? I'd be interested in
seeing if that would work for our use case.

Thanks!
-Steve

On Wed, Nov 26, 2014 at 2:31 AM, David Nalley <david@gnsa.us> wrote:

> On Tue, Nov 25, 2014 at 4:48 PM, Steven Gill <stevengill97@gmail.com>
> wrote:
> > Hey Everyone,
> >
> > So I need to add credentials to my workspace for uploading a nightly
> build
> > to npm for cordova.
> >
> > The command I need to run is `npm login` or `npm addUser`. It would
> prompt
> > me to add my username, password and email. I think I only need to do this
> > once and it would be saved in my workspace, but I would like it to be
> able
> > to work if I started a new workspace from scratch.
> >
> > How do I do this in a way that is secure? I don't want to write my
> > credentials into my build step.
> >
> > I assume a similar problem would exist for pushing changes to git.
> >
>
>
> So - it depends.
>
> We have this functionality for nexus, but only allow Jenkins to
> publish 'snapshot' builds for developers, and (IIRC) those stay on the
> ASF's Nexus implementation. We use a role account on Nexus for Jenkins
> to publish those snapshots.
>
> We don't allow the Jenkins role account to publish releases. This
> doesn't mean that we wouldn't allow a role account setup on jenkins to
> publish to NPM - but the specific issue is that anyone from any
> project could at any time run a job that publishes an artifact to NPM.
> (I don't think they have the concept of Snapshot builds, from my 30
> seconds of reading.) I suspect that most people consume Cordova from
> NPM rather than downloading source, which makes that something to
> guard closely, rather than having a job that anyone with a jenkins
> account could trigger.
>
> And FTR, I don't think we would ever allow an automated system to
> commit back to a project's source code tree without input from a
> committer. (Obviously we have automated commits for things like
> websites, etc, but again almost all of that is initiated by a
> committer).
>
> --David
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message