https://pulumi.com logo
Title
b

brainy-church-78120

06/11/2022, 5:35 PM
hi folks, there are a few 404s being reported on the astra provider install+config page. ive opened up an issue for yall https://github.com/pulumiverse/pulumi-astra/issues/2
l

limited-rainbow-51650

06/12/2022, 2:52 PM
Responded in the issue.
b

bulky-hamburger-30930

06/12/2022, 3:16 PM
@limited-rainbow-51650 how is it going on npm & NuGet? It would be great at least to have them published.
l

limited-rainbow-51650

06/12/2022, 3:23 PM
All provider repos need to get equipped with credentials for the various package registries.
b

bulky-hamburger-30930

06/12/2022, 4:14 PM
Will it work if you create npm publish token and set this secret to pulumiverse github org so all repos could use it? Or this is not the way you want to build it?
l

limited-rainbow-51650

06/12/2022, 4:40 PM
There is one specific reason I don’t want to set org-level secrets: security. If a secret ever gets compromised, I don’t want it to affect all providers within
pulumiverse
. I will create separate credentials for each repository as a result.
b

bulky-hamburger-30930

06/12/2022, 5:43 PM
For npm I see 2 options for today: 1. Easier to maintain but less secure. You create some pulumiverse user, then you give it access to pulumiverse packages. And then you generate for it tokens for every github repo in pulumiverse. This way if token is compromised you just regenerate the corresponding token without touching others. The downside is that every token will be able to publish into all pulumiverse packages. 2. Harder to maintain but more secure. For every repo in pulumiverse you create a separate npm user that has access to a single package. And then you generate a token to it. The downside is that you will spend more time during new package setup. @limited-rainbow-51650 could you pls share what is your vision for npm?
l

limited-rainbow-51650

06/12/2022, 5:44 PM
@pulumiverse
on NPM is an organization, not a user: https://www.npmjs.com/org/pulumiverse
b

bulky-hamburger-30930

06/12/2022, 5:45 PM
Can you publish to it without having a user?
l

limited-rainbow-51650

06/12/2022, 5:46 PM
No, API tokens are linked to a user having access to the org. npmjs.org doesn’t provide a way to have org-only or package-only tokens
b

bulky-hamburger-30930

06/12/2022, 5:48 PM
Then I think my suggestions are still relevant. Does not it make sense to you?
l

limited-rainbow-51650

06/12/2022, 5:50 PM
I was going for option 1 for the time being, with every repo having a separate token. I understand the downside that it can publish anything under the
@pulumiverse
namespace, but I guess the PR review process can provide some security around this.
We needed to use the organization named
pulumiverse
on npmjs.com to claim the
@pulumiverse/...
package scope. https://docs.npmjs.com/about-organization-scopes-and-packages
b

bulky-hamburger-30930

06/12/2022, 6:02 PM
Yeah. I see. I'm just trying to suggest the best way to organize access to this npm org.
Do you want to do the publish access setup manually or use some automation?
l

limited-rainbow-51650

06/12/2022, 6:06 PM
It’s probably going to be manual. I investigated a bit an API based way to create api tokens but found none. Main idea was to integrate secrets configuration as part of the Github organization setup here: https://github.com/pulumiverse/infra
So in short: set the appropriate secrets for the different package repositories manually as Github Actions secrets on each of the provider repositories. Once configured, each provider maintainer can then publish using a git tag and a linked GHA workflow
We don’t have a scaling problem on the number of provider repositories for the moment. 😄
b

bulky-hamburger-30930

06/20/2022, 11:28 PM
@limited-rainbow-51650 https://github.com/pulumiverse/pulumi-astra/runs/6975042612?check_suite_focus=true#step:13:27 pypi publish is failing. Could you pls check the secret? Does it exist at all?
l

limited-rainbow-51650

06/21/2022, 8:32 AM
@bulky-hamburger-30930 this should be
${{secrets.PYPI_API_TOKEN }}
here: https://github.com/pulumiverse/pulumi-astra/blob/main/.github/workflows/release.yml#L27
b

bulky-hamburger-30930

06/21/2022, 8:36 AM
Woohoo!! We finally did it. All packages are published now. Thanks 😊
🎉 2
l

limited-rainbow-51650

06/21/2022, 9:59 AM
@broad-dog-22463 ^^
Great work @bulky-hamburger-30930. I guess this
TBD
at the end of the README can be removed, right? https://github.com/pulumiverse/pulumi-astra/#reference
b

bulky-hamburger-30930

06/21/2022, 10:11 AM
Yes. I was going to do it when I have some free time
https://github.com/pulumiverse/pulumi-astra/pull/10 Finally got some free time 🙂
❤️ 1