modrinth
External authentication and automated publishing #192
kb-1000
started this conversation in
Feature requests
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I'd like to propose a concept comparable to PyPI's trusted publishers.
Trusted publishers is PyPI's name for letting external services, primarily GitHub Actions (but it allows configuring others as well) authenticate with your package using OpenID Connect and publish releases that way.
This way, you avoid needing to store a token in the secrets, which ideally should be rotated from time to time (which almost no one does anyways), and rather identify through... the identity of your process and its location.
Additionally, you could limit the access you grant that external service (for example, a user can decide to give an actions workflow only access to uploading versions in only one of their projects, or go as far as letting it manage members), and track what uploaded it (the publisher of a version could then be shown as "GitHub Actions" with a link to the workflow run).
This might go a tiny bit further than what PyPI does, but I think that's worth it.
Some additional notes: if you implement this, always check the audience of the token, or you end up with security issues comparable to using github personal access tokens to authenticate with non-github services
(I've posted this as a CurseForge suggestion as well)
Beta Was this translation helpful? Give feedback.
All reactions