-
Notifications
You must be signed in to change notification settings - Fork 64
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use OIDC for triggering npm publishing pipelines (#4649)
- Loading branch information
1 parent
172dd5d
commit 5c68bd1
Showing
4 changed files
with
55 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,16 @@ | ||
# Updating npm publishing credentials | ||
|
||
**Update: we now used Managed Identities for authentication. As such we no longer have personal access tokens that need rotated regularly.** | ||
|
||
Our GitHub actions that publish our npm package require access for two places: | ||
|
||
1. The Azure Blob Store that we upload the npm tarball to. | ||
1. The ADO release pipeline that publishes tarball to npm. | ||
|
||
For more information on these visit the internal wiki page: <https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline>. | ||
|
||
## Required keys and tokens | ||
|
||
1. `AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN`. **⚠ This will expire periodically and need updating ⚠**. This is a personal access token. An account with access to the [ADO release pipeline](https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline) should create a new access token when the old one expires. To gain access to this release page you must belong to the appropriate security group; follow the instructions on the [internal wiki page](https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline). For more information on how to create a personal access token see: [Use personal access tokens - Create a PAT](https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops#create-a-pat). | ||
* Request access to release pipelines through `myaccess`, Request for project Azure SDK Partners. Link can also be found in the [internal wiki page](https://dev.azure.com/azure-sdk/internal/_wiki/wikis/internal.wiki/1/Partner-Release-Pipeline) | ||
* PAT Token should have the following scope: | ||
* Release (Read, write, & execute) | ||
* Code (Read, write) | ||
* Build (Read, execute) | ||
|
||
1. `NPM_DEPLOY_AZURE_CLIENT_ID`, `NPM_DEPLOY_AZURE_TENANT_ID` and `NPM_DEPLOY_AZURE_SUBSCRIPTION_ID`. These shouldn't change. They are the OIDC (OpenID Connect) details that are used to authenticate access to Azure Blob Store. See [internal documenatation](https://skype.visualstudio.com/SPOOL/_wiki/wikis/SPOOL.wiki/49092/Updating-npm-publishing-credentials) for more details. | ||
Both of these use OpenID Connect tokens for authentication. To authorize OIDC tokens the following GitHub secrets need set: | ||
|
||
# Troubleshooting | ||
- `NPM_DEPLOY_AZURE_CLIENT_ID` | ||
- `NPM_DEPLOY_AZURE_TENANT_ID` | ||
- `NPM_DEPLOY_AZURE_SUBSCRIPTION_ID`. | ||
|
||
1. If you experience a 401 error, try rotating AZURE_SDK_RELEASE_PIPELINE_DEVOPS_TOKEN and rerun the job. | ||
These shouldn't change. See [internal documenatation](https://skype.visualstudio.com/SPOOL/_wiki/wikis/SPOOL.wiki/49092/Updating-npm-publishing-credentials) for more details where these are and how they are used for authorization. |