Skip to content
This repository has been archived by the owner on May 4, 2022. It is now read-only.

ci: remove greenkeeper lockfile upload step #722

Conversation

ChristianMurphy
Copy link
Contributor

The GreenKeeper lockfile upload step, requires having a secure token injected into the public continuous integration environment.
With the current GitHub oauth API, this would mean the generating user would need to create a token, that gives write access to ALL of their public GitHub repositories.
This might be feasible with a build user scoped to a single repository, or if GitHub improves their API.
However at the moment this seems like a security risk.

Short term the best solution appears to be disabling the upload step, so CI doesn't waste time attempting a push that will not work.
Leaving humans to manually rm -rf package-lock.json node_modules && npm install && git commit -a -m "chore(package): update package lock file" && git push upstream


Contributor License Agreement adherence:

The GreenKeeper lockfile upload step, requires having a secure token
injected into the public continuous integration environment.
With the current GitHub oauth API, this would mean the generating user
would need to create a token, that gives write access to ALL of their
public GitHub repositories.
This might be feasible with a build user scoped to a single repository,
or if GitHub improves their API.
However at the moment this seems like a security risk.

Short term the best solution appears to be disabling the upload step, so
CI doesn't waste time attempting a push that will not work.
@ChristianMurphy ChristianMurphy requested a review from a team October 7, 2017 02:21
Copy link
Contributor

@apetro apetro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there documentation to update to note when and how what humans ought to

rm -rf package-lock.json node_modules && npm install && git commit -a -m "chore(package): update package lock file" && git push upstream"

@ChristianMurphy
Copy link
Contributor Author

@apetro if this moves forward, absolutely!
I'm currently digging more into secure storage of tokens on CI, and limiting scope of tokens.
Ideally, I'd like greenkeeper-lockfile-upload to run, and potentially would be interested in investigating using semantic-release.

@ChristianMurphy
Copy link
Contributor Author

With the plan for #726, there will be a need for a secure way for CI to push to master.
After some additional research it looks like deployment keys could be a good approach.

@ChristianMurphy ChristianMurphy deleted the ci/remove-greenkeeper-lockfile branch October 16, 2017 17:31
ChristianMurphy added a commit to ChristianMurphy/uportal-home that referenced this pull request Jan 20, 2018
resolves uPortal-Attic#722, the deployment key based approach didn't work out.
ChristianMurphy added a commit to ChristianMurphy/uportal-home that referenced this pull request Jan 20, 2018
resolves uPortal-Attic#722, the deployment key based approach didn't work out.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants