https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# pulumiverse
s
This message was deleted.
l
Responded in the issue.
b
@limited-rainbow-51650 how is it going on npm & NuGet? It would be great at least to have them published.
l
All provider repos need to get equipped with credentials for the various package registries.
b
Will it work if you create npm publish token and set this secret to pulumiverse github org so all repos could use it? Or this is not the way you want to build it?
l
There is one specific reason I don’t want to set org-level secrets: security. If a secret ever gets compromised, I don’t want it to affect all providers within 
pulumiverse
. I will create separate credentials for each repository as a result.
b
For npm I see 2 options for today: 1. Easier to maintain but less secure. You create some pulumiverse user, then you give it access to pulumiverse packages. And then you generate for it tokens for every github repo in pulumiverse. This way if token is compromised you just regenerate the corresponding token without touching others. The downside is that every token will be able to publish into all pulumiverse packages. 2. Harder to maintain but more secure. For every repo in pulumiverse you create a separate npm user that has access to a single package. And then you generate a token to it. The downside is that you will spend more time during new package setup. @limited-rainbow-51650 could you pls share what is your vision for npm?
l
@pulumiverse
on NPM is an organization, not a user: https://www.npmjs.com/org/pulumiverse
b
Can you publish to it without having a user?
l
No, API tokens are linked to a user having access to the org. npmjs.org doesn’t provide a way to have org-only or package-only tokens
b
Then I think my suggestions are still relevant. Does not it make sense to you?
l
I was going for option 1 for the time being, with every repo having a separate token. I understand the downside that it can publish anything under the 
@pulumiverse
namespace, but I guess the PR review process can provide some security around this.
We needed to use the organization named 
pulumiverse
on npmjs.com to claim the 
@pulumiverse/...
package scope. https://docs.npmjs.com/about-organization-scopes-and-packages
b
Yeah. I see. I'm just trying to suggest the best way to organize access to this npm org.
Do you want to do the publish access setup manually or use some automation?
l
It’s probably going to be manual. I investigated a bit an API based way to create api tokens but found none. Main idea was to integrate secrets configuration as part of the Github organization setup here: https://github.com/pulumiverse/infra
So in short: set the appropriate secrets for the different package repositories manually as Github Actions secrets on each of the provider repositories. Once configured, each provider maintainer can then publish using a git tag and a linked GHA workflow
We don’t have a scaling problem on the number of provider repositories for the moment. 😄
b
@limited-rainbow-51650 https://github.com/pulumiverse/pulumi-astra/runs/6975042612?check_suite_focus=true#step:13:27 pypi publish is failing. Could you pls check the secret? Does it exist at all?
l
@bulky-hamburger-30930 this should be 
${{secrets.PYPI_API_TOKEN }}
here: https://github.com/pulumiverse/pulumi-astra/blob/main/.github/workflows/release.yml#L27
b
Woohoo!! We finally did it. All packages are published now. Thanks 😊
🎉 2
l
@broad-dog-22463 ^^
Great work @bulky-hamburger-30930. I guess this 
TBD
at the end of the README can be removed, right? https://github.com/pulumiverse/pulumi-astra/#reference
b
Yes. I was going to do it when I have some free time
❤️ 1
4 Views
Open in Slack
PreviousNext
Powered by