Comments (18)
So I checked a bit into GitHub actions again and they provide a secure way to deal with deployment secrets: https://docs.github.com/en/actions/security-guides/encrypted-secrets
The advantage here is, that we could trigger a deploy action, once a PR is opened to merge into release
or master
we can run
- basic tests (as we already do with every PR)
- extended tests (adapter impl using the new release, examples using the new release, maybe pentests?)
- additional security scans (npm audit, static code analyses using GitHub CodeQL)
- npm publish dry-run using the deploy keys
then once finally merged into this specific branch we can start another action, that
- tags the commit with
release-<version>
- finally runs npm publish using the deploy keys
- creates a release on GitHub as well
Advantages:
- less error prone, since automated
- no relying on a single human to release a new version (imagjne the person responsible for deploy is sick at home or on vacation)
- if we abandon we can leave the deploy keys for the upcoming maintainers
Disadvantages:
- we need to tighten access restrictions to the release branches as good as possible (maybe PR to this release-branch must require 2+ approved reviews and can only be opened by maintainers?)
from node-oauth2-server.
@oklas I just realized you were the same person that e-mailed me personally asking to be added as a maintainer.
I can understand that it's good to be on the "inside", but we JUST got started and we are starting with updating the out-of-date dependencies and removing / fixing major issues. Besides I am not even sure what third party services we need or IF we need any at the moment, that's something we haven't even discussed yet nor are no where near.
Whenever we get to that point and if/when we grow more, I will gladly add you as a maintainer next, but at the time being, I really don't see the need to add another maintainer. You can help by writing PRs, because that's all we need right now.
I hope you don't take this the wrong way, I just want to be very careful moving forward, this is our break or make moment and I want to tread carefully.
from node-oauth2-server.
Yes let me do this tomorrow morning, I will ping you once completed
from node-oauth2-server.
Excellent considerations. I would be glad to work on this and continue developing the release process based on the commit message (the ideas that I suggested in #32).
from node-oauth2-server.
@HappyZombies can you add @oklas to the maintainers? I unfortunately can*t
@oklas that would be great! Are you familiar with dependabot and github actions? I am so half-half (used both in my projects and read the docs but skipped many sections that I thought irrelevant at that time). I think we can make huge progress just by getting to know how both actually work:
https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
from node-oauth2-server.
@jankapunkt I think I want to hold off adding maintainers right now, unless adding oklas will bring great value? If he wants to contribute he can just write PRs.
I don't see how adding more people as maintainers and giving them write access will help right now, I think we are doing good with us 3, and another might be a too many cooks in the kitchen situation.
Also because of what @jwerre #16 (comment) mentioned, we don't wanna just add maintainers willy nilly (if I am being honest I took a risk with adding you both and I don't wanna keep taking risks lol)
from node-oauth2-server.
(if I am being honest I took a risk with adding you both and I don't wanna keep taking risks lol)
🤣
from node-oauth2-server.
@HappyZombies allright no problem I can totally understand this it's all risky for all of us involved (at least when running this in production)
Well, then let's first go through the proposed release strategy and see if you and @jwerre have any further thoughts on this.
from node-oauth2-server.
"Just write PR" can only be done for just code and tests. Working on things like config and interacting with third party services tuned to a specific repository or branch requires access to the repository and branch and third party services. Therefore, the first way is to set up a similar complex of systems in another repository, which means not just a fork, but a complex of interconnected systems. And the second way is a membership, which @jankapunkt suggested. And of course, permanent work is much more convenient and efficient from the inside.
from node-oauth2-server.
@jankapunkt let's move forward with publishing using GH Actions. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry
from node-oauth2-server.
@HappyZombies @jwerre we definitely need to add 2nd factor on the NPM repo as countermeasure against supply chain attacks, which just happened with ua-parser-js
Then we can also automate releases, because a realease-attempt will have to pass the 2nd factor and makes it harder to release a hijacked package in case one of our GitHub accounts is compromised.
Do you guys have actually 2nd factor on your GH accounts active? Same goes for PGP for commits (you can see that through my commits are "verified") -> it presents someone simply commiting code on your behalf even if they know your password / hacked your account.
from node-oauth2-server.
In case you didn't noticed already: faisalman/ua-parser-js#536
from node-oauth2-server.
@jankapunkt I do have two-factor active.
from node-oauth2-server.
In case you didn't noticed already: faisalman/ua-parser-js#536
Thanks for the heads up on this!
from node-oauth2-server.
@jankapunkt and @jwerre for sure two factor is very important to have not just in GitHub but in NPM too!
I think we can also look into adding PGP for commits, given things like the ua-parser-js incident.
from node-oauth2-server.
@jankapunkt I just checked the organization settings, enabling two factor will actually kick you out of the org. Mind enabling two factor for you GitHub account before I make this change?
from node-oauth2-server.
@HappyZombies done, please check again
from node-oauth2-server.
Closing since we are done here and also due to #121
from node-oauth2-server.
Related Issues (20)
- Koa Wrapper for this version? HOT 5
- TypeScript rewrite HOT 6
- `validateRedirectUri` is not in the TypeScript types HOT 1
- An option to require PKCE parameters HOT 6
- Does this library support user approval dialog during authorization code grant? HOT 28
- State of this project? HOT 21
- Is implementation of `verifyScope` required? HOT 17
- generateAuthorizationCode not being awaited HOT 3
- TypeScript: Remove callback from types in 5.x HOT 4
- Move all ES5 style classes into ES6+ style class HOT 2
- getClient called with non-decoded secret/client HOT 3
- [Documentation] revokeAuthorizationCode argument should be named `code.authorizationCode`, not `code.code` HOT 4
- Client Credentials broken in 5.0.0-rc.1 HOT 12
- Insufficient integration tests HOT 3
- Contribution guidelines do not cover how to PR fixes for docs HOT 2
- wrong typing for revokeToken argument HOT 26
- PR #197 fix removed after merge HOT 3
- Typings for `validateScope` don't correctly reflect that `scope` arg can be undefined
- `authenticate` endpoint still expects `scope` as a `string` instead of `string[]` HOT 4
- PKCE Refresh token HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-oauth2-server.