-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pub publish over CI should be supported #2227
Comments
I'm not convinced this is the way to go. Your personal Ideally, we could somehow allow service accounts to be member of a publisher or uploader on a package on pub.dev, and then go from there. But there is still a few unknowns here. |
I agree but that's the only way we have for now so people are using it, might be a good idea to have a quick win and make it easy to use for now no ?
Not sure what device accounts mean in this context. |
I'm not sure we should add this to the
That might be the solution, but then you're forced to manage a token which can be leaked. But as I said, this is not fully conceived yet, I have some digging to do to find out how |
@jonasfj has this progressed at all? |
No - not much has happened here recently |
We had some ideas, but nothing has shipped yet. I think we're still not entirely sure how to best do this.. Simple tokens is easy, but also awfully easy to leak :/ |
@jonasfj I agree that simple tokens is too naive. Perhaps there might be an optional integration (from pub.dev) which scrapes GitHub/GitLab/whatever and tries to publish whenever a commit is pushed. Of course, this means introducing an interface to these APIs, dealing with Oauth, etc. I know Heroku has a feature like this, but I don't know how much complexity is added by doing it. EDIT: this comment might be out of scope here, since this is more for https://github.com/dart-lang/pub-dev. If you think this would be worth discussion, I can refile there. |
@AKushWarrior yeah, options I'm thinking of is:
So far that's my incomplete thoughts.. Maybe there are other options. Maybe simple tokens isn't so bad. Maybe we should do both (1) and (2). And maybe this is not the most urgent feature :) |
@jonasfj thanks for taking the time to write that out. RE Simple tokens: As long as you can regenerate them easily, I don't think there is too much risk there. But user-centric security errors will see a spike. RE 1: I agree that it can coincide with 2. On the other hand, it is more of a supplementary than a full solution. RE 3: I didn't know it would be that significant an overhead. Obviously CI publish is a fairly small feature, so GitHub integration should probably be way down the list. Maybe, since simple tokens would be relatively easy, you could try rolling that out. In the case that it fails spectacularly (breaches and leaks everywhere), it should also be simple to roll back. Of course, all this is not the most urgent thing. Still, it's a nice feature to have. As a package dev, I can say firsthand that pushing to both GitHub and pub is an annoying hindrance, as opposed to CI. |
Is there any guideline on publishing a package over CI at the moment? Using an expiring access token does not seem like a permanent solution. I could not find anything in the docs or on Google (except some attempts using the access token from credentials.json which I assume expires after a couple of hours). |
@aeneasr, the It's recommended that packages be published manually until a solution have been found. |
Thank you for the info! Would the refresh token not be invalidated once used? Or is it valid until forever? Unfortunately, using non-automation/manual is not an option for us except for not supporting Dart, which is also not an option :) |
It's an oauth token refresh token, if you sign-in to |
Thank you for the clarification. I assume |
But yes, this is not designed for CI publishing, even if it's technically possible. |
Awesome, thank you again for the clarification and super quick turnover! |
I'm coming in late, but I read the thread and I wonder if we could be a bit more precise here. So far what I understood is:
Does this summary sound reasonable? Should we rename to simply "Pub publish should support CI" to carry out the sentiment? |
I edited the title to be a bit more precise. |
Token authentication have been introduced, this is really just a matter of supporting it for pub.dev. |
Refiled as -> dart-lang/pub-dev#5388 |
Would be amazing to be able to do something like
pub publish --auth=MY_PUB_TOKEN
Because if you want to setup automatic publishing (when you create a tag for example) it's currently quite ugly (see https://github.com/rushio-consulting/rc_router/blob/master/.github/workflows/on_tag.yml).
Having to put the path like
run: echo ${{secrets.PUB_CREDENTIALS}} > /opt/hostedtoolcache/flutter/1.9.1-hotfix.2-stable/x64/.pub-cache/credentials.json
is not really great to maintain.I don't mind trying to make the PR for this if your telling me it's the way to go
The text was updated successfully, but these errors were encountered: