Consolidate NuGet package tokens #83
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spikeheap
force-pushed
the
feature/github_token
branch
2 times, most recently
from
7375d06
to
21d383c
Compare
Historically we've published packages from our local machines, which requires a token to authenticate with the GitHub Packages NuGet Registry. Now we use CI to publish packages there is a GitHub-managed token we can use instead.. > If you're using a registry that supports granular permissions, and your workflow is using a personal access token to authenticate to the registry, then we highly recommend you update your workflow to use the GITHUB_TOKEN. > ~ from https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-with-granular-permissions This change removes both `LBHPACKAGESTOKEN` and `NUGET_KEY` tokens from the GitHub Actions workflow, replacing them where needed with the managed `GITHUB_TOKEN` token that's automatically made available to all jobs. In order to keep the local development/management experience the same, references to `LBHPACKAGESTOKEN` have been kept as-is in the Docker and Docker Compose setup. Docker's documentation [suggests](https://docs.docker.com/reference/dockerfile/#arg) not to use build arguments to pass secrets, so this change updates the `Dockerfile` to use [secret mounts](https://docs.docker.com/build/building/secrets/#secret-mounts), and the recommended way to [manage secrets in docker compose](https://docs.docker.com/compose/how-tos/use-secrets/). Consequences This will allow us to remove the shared secrets in GitHub Actions: - `NUGET_KEY` - `LBHPACKAGESTOKEN` At the same time, this doesn't affect the local development workflow.
spikeheap
force-pushed
the
feature/github_token
branch
from
3b202d2
to
211883a
Compare
humulla
approved these changes
Oct 1, 2024
This was referenced Oct 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe this PR
This PR removes two environment variables from CI which have been used to carry credentials to publish/read packages to our GitHub Packages NuGet registry:
LBHPACKAGESTOKENNUGET_KEYLBHPACKAGESTOKENcontinues to be used for local development.What is the problem we're trying to solve
Historically we've published packages from our local machines, which requires a token to authenticate with the GitHub Packages NuGet Registry. Now we use CI to publish packages there is a GitHub-managed token we can use instead..
This change removes both
LBHPACKAGESTOKENandNUGET_KEYtokens from the GitHub Actions workflow, replacing them where needed with the managedGITHUB_TOKENtoken that's automatically made available to all jobs.In order to keep the local development/management experience the same, references to
LBHPACKAGESTOKENhave been kept as-is in the Docker and Docker Compose setup.Docker's documentation suggests not to use build arguments to pass secrets, so this change updates the
Dockerfileto use secret mounts, and the recommended way to manage secrets in docker compose.Consequences
This will allow us to remove the shared secrets in GitHub Actions:
NUGET_KEYLBHPACKAGESTOKENAt the same time, this doesn't affect the local development workflow.
Checklist
Follow up actions after merging PR
LBHPACKAGESTOKENandNUGET_KEYlists here: https://github.com/organizations/LBHackney-IT/settings/secrets/actions.other 9 repositories in that list: