Note that you need to be very careful about this if you have a public repository that accepts PR's from third parties. There is nothing stopping someone from adding this via a PR:
- name: Give me this person's NPM token
run: cat ~/.npmrc
Even if you have it locked down so they can't see the build output, they could just add a curl command to post the contents of your .npmrc file to their server.
A number of open source projects have been hacked this way in the past. This is why I keep my NPM publish entirely isolated from the Github repo. I review every PR that is submitted to me carefully, but don't want any chance of accidentally merging in a malicious PR that will compromise my NPM packages.
I like the way GitLab solves this. You mark your secrets ("CI/CD env vars") as protected, then only protected branches and tags can use them. When someone has right to merge or push to a protected branch, thay of course gain access to these vars, but if you don't allow anyone to do this, you are pretty safe.
Yes this is a problem in Rust-land too. crates.io doesn't support user tokens to be limited to a crate only [1], but gives access to all the crates an user has access to. So if the token leaks, attackers have access to all your crates. For the cpal crate we worked around the issue by creating a new github user that has only access to the cpal crate (and maybe in the future a few other crates in the same org) but nothing more [2]. This solution isn't really good tho.
Does this rely on the `.npmrc` file being cached from a previous run (which will only happen if you use a self-hosted runner)? Or does this vulnerability mean that PR contributors basically have direct access to all of the secrets that you put on your GitHub repo?
Yeah in the authors example they are writing a .npmrc file but it could also just as easily be outputting the env variable of the secret. Fundamentally if NPM can access the secret in the build that means anyone who can modify the build process can also access the secret.
There are so many vectors of vulnerability: from modifying NPM package.json scripts, to modifying makefiles, to modifying the build scripts, etc that I find the only true solution is to have one public repo that accepts PR's from the public and only does checks like linting and running the tests, but does not have any access to secrets for publish. Ideally the public repo also does not contain your actual publish scripts either, only you as the package owner have access to them, as they are stored in your own private repo.
Then have another private repo that you sync into or an external, fully private build system that keeps the secrets, and does the real NPM publish. I think it is just far too dangerous to do the NPM publish from the public facing repo. I assume the author is well aware of this too, but just wanted to include a warning in case anyone else hasn't run into this or thought of it yet.
That would be good for the UI, but PRs that modify .github/workflows already never run the checks. I guess they could also modify your npm `scripts` to `cat .npmrc` but that's another issue.
fair enough... separating build and publish actions, and using artifacts from one to the other can help limit exposure to just the publish yaml.
Though, one should be very leery of anything that touches certain paths... for the most part, I tent to use scripts/npm/ for anything run from package.json and would also watch out for any changes in .github/
It depends on a bit of due diligence. It's not any different than other CI/CD platforms in any meaningful way.
Off topic, but cool, I didn't know npm has a version bump capability. I wrote my own small cli tool[0] for new releases, which could have been even smaller via leveraging the npm builtin. Thanks!
I really like the idea of automating this whole process. While not generic to publishing to pypi, I was playing around with this process in a toy repo I have, where it builds a Rust/Python package, creates a release on Github if I bump the version number, build the package and publishes it on Pypi.
It probably not the cleanest way to do it, but I liked having it "spelled out" in steps manually to play around and learn more about how to do this.
since npm version creates a tag, I have an action for v* tags that will build/publish... have migrated a couple projects from travis-ci ... TFA is a bit mixed, you don't need to push to npmrc for this behavior though.
(I did post this link in direct thread, copied here)
Pretty much yes. Their build running machines are very powerful and loaded with lots of typical libraries. They specifically state that GHA should not be used as a general serverless compute platform in their TOS. I think that needs to be said because its perfectly capable of being a pretty robust FaaS platform in general- but certainly its totally valid to use as FaaS for git or anything that could be GitHub webhook, like PR comments, milestone updates, label creation, etc.
A number of open source projects have been hacked this way in the past. This is why I keep my NPM publish entirely isolated from the Github repo. I review every PR that is submitted to me carefully, but don't want any chance of accidentally merging in a malicious PR that will compromise my NPM packages.