This repository has been archived by the owner on Mar 15, 2022. It is now read-only.
registry: CI-friendly "automation" access tokens for 2FA users #6
Comments
|
This has shipped 🎉 Happy launchtober https://github.blog/changelog/2020-10-02-npm-automation-tokens/ |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Summary
We encourage users to use two-factor authentication (2FA) when using the npm registry, which will help keep their accounts secure if a username and password is leaked. Two-factor authentication also applies to tokens that were generated for a user. This prevents users from being able to both have two-factor authentication enabled and use continuous integration (CI) workflows to publish packages.
We will add a new type of access token that users can create to use in CI workflows which will not require a TOTP code when publishing.
Intended Outcome
Users can use "automation tokens" to publish to the public registry from continuous integration workflows.
How will it work?
Users will be able to generate a new "automation token" on the npmjs.com website. This token will act as an authorization token for the user who generated it, but will not require two-factor authentication, regardless of the user's 2FA settings. Package maintainers can optionally allow automation tokens to publish packages so that they can be used as secrets in continuous integration workflows.
Existing access tokens will be unchanged, and will require two-factor authentication if a user has 2FA enabled.
The
npmCLI will not immediately support creation of these tokens, it will continue to generate standard (2FA-enabled) tokens.The text was updated successfully, but these errors were encountered: