hi folks, there are a few 404s being reported on the astra provider install+config page. ive opened up an issue for yall https://github.com/pulumiverse/pulumi-astra/issues/2

Responded in the issue.

@limited-rainbow-51650 how is it going on npm & NuGet? It would be great at least to have them published.

All provider repos need to get equipped with credentials for the various package registries.

Will it work if you create npm publish token and set this secret to pulumiverse github org so all repos could use it? Or this is not the way you want to build it?

There is one specific reason I don’t want to set org-level secrets: security. If a secret ever gets compromised, I don’t want it to affect all providers within

pulumiverse

. I will create separate credentials for each repository as a result.

For npm I see 2 options for today: 1. Easier to maintain but less secure. You create some pulumiverse user, then you give it access to pulumiverse packages. And then you generate for it tokens for every github repo in pulumiverse. This way if token is compromised you just regenerate the corresponding token without touching others. The downside is that every token will be able to publish into all pulumiverse packages. 2. Harder to maintain but more secure. For every repo in pulumiverse you create a separate npm user that has access to a single package. And then you generate a token to it. The downside is that you will spend more time during new package setup. @limited-rainbow-51650 could you pls share what is your vision for npm?

@pulumiverse

on NPM is an organization, not a user: https://www.npmjs.com/org/pulumiverse

Can you publish to it without having a user?

No, API tokens are linked to a user having access to the org. npmjs.org doesn’t provide a way to have org-only or package-only tokens

Then I think my suggestions are still relevant. Does not it make sense to you?

I was going for option 1 for the time being, with every repo having a separate token. I understand the downside that it can publish anything under the

@pulumiverse

namespace, but I guess the PR review process can provide some security around this.

Yeah. I see. I'm just trying to suggest the best way to organize access to this npm org.

It’s probably going to be manual. I investigated a bit an API based way to create api tokens but found none. Main idea was to integrate secrets configuration as part of the Github organization setup here: https://github.com/pulumiverse/infra

@limited-rainbow-51650 https://github.com/pulumiverse/pulumi-astra/runs/6975042612?check_suite_focus=true#step:13:27 pypi publish is failing. Could you pls check the secret? Does it exist at all?

@bulky-hamburger-30930 this should be

${{secrets.PYPI_API_TOKEN }}

here: https://github.com/pulumiverse/pulumi-astra/blob/main/.github/workflows/release.yml#L27

https://github.com/pulumiverse/pulumi-astra/pull/9/files could you pls review?

@broad-dog-22463 ^^

Yes. I was going to do it when I have some free time