Skip to content
This repository has been archived by the owner on May 4, 2022. It is now read-only.

ci: remove greenkeeper lockfile upload step #722

Closed
wants to merge 1 commit into from
Closed

ci: remove greenkeeper lockfile upload step #722

wants to merge 1 commit into from

Conversation

ChristianMurphy
Copy link
Contributor

The GreenKeeper lockfile upload step, requires having a secure token injected into the public continuous integration environment.
With the current GitHub oauth API, this would mean the generating user would need to create a token, that gives write access to ALL of their public GitHub repositories.
This might be feasible with a build user scoped to a single repository, or if GitHub improves their API.
However at the moment this seems like a security risk.

Short term the best solution appears to be disabling the upload step, so CI doesn't waste time attempting a push that will not work.
Leaving humans to manually rm -rf package-lock.json node_modules && npm install && git commit -a -m "chore(package): update package lock file" && git push upstream

Contributor License Agreement adherence:

@ChristianMurphy
ci: remove greenkeeper lockfile upload step
9087093 
The GreenKeeper lockfile upload step, requires having a secure token
injected into the public continuous integration environment.
With the current GitHub oauth API, this would mean the generating user
would need to create a token, that gives write access to ALL of their
public GitHub repositories.
This might be feasible with a build user scoped to a single repository,
or if GitHub improves their API.
However at the moment this seems like a security risk.

Short term the best solution appears to be disabling the upload step, so
CI doesn't waste time attempting a push that will not work.
@ChristianMurphy ChristianMurphy requested a review from a team October 7, 2017 02:21
apetro
apetro approved these changes Oct 9, 2017
View reviewed changes
Copy link
Contributor

@apetro apetro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there documentation to update to note when and how what humans ought to

rm -rf package-lock.json node_modules && npm install && git commit -a -m "chore(package): update package lock file" && git push upstream"

@ChristianMurphy
Copy link
Contributor Author

@apetro if this moves forward, absolutely!
I'm currently digging more into secure storage of tokens on CI, and limiting scope of tokens.
Ideally, I'd like greenkeeper-lockfile-upload to run, and potentially would be interested in investigating using semantic-release.

@ChristianMurphy
Copy link
Contributor Author

With the plan for #726, there will be a need for a secure way for CI to push to master.
After some additional research it looks like deployment keys could be a good approach.

@ChristianMurphy ChristianMurphy deleted the ci/remove-greenkeeper-lockfile branch October 16, 2017 17:31
ChristianMurphy added a commit to ChristianMurphy/uportal-home that referenced this pull request Jan 20, 2018
@ChristianMurphy
refactor: remove greenkeeper lockfile
151b2d8 
resolves uPortal-Attic#722, the deployment key based approach didn't work out.
@ChristianMurphy ChristianMurphy mentioned this pull request Jan 20, 2018
Merged
1 task
ChristianMurphy added a commit to ChristianMurphy/uportal-home that referenced this pull request Jan 20, 2018
@ChristianMurphy
refactor: remove greenkeeper lockfile
64de473 
resolves uPortal-Attic#722, the deployment key based approach didn't work out.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@vertein vertein vertein approved these changes

@apetro apetro apetro approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ChristianMurphy @apetro @vertein