NPM_TOKEN for node-core-utils to auto publish to npm

[mmarchini]

Request to create a NPM_TOKEN on node-core-utils containing an npm automation token for the nodejs-foundation npm user so that we can automate releases for node-core-utils.

Requires 2 approvals from @nodejs/tsc and 2 approvals from @nodejs/community-committee.

[richardlau]

This would be a change in policy:
https://github.com/nodejs/admin/blob/main/npm-management.md

The purpose of the nodejs-foundation user is not to enable Build Workgroup members to publish npm modules, that should be left to the module collaborators.

[mmarchini]

Nice catch, although I don't interpret that item as "don't use tokens with this user", but rather "you shouldn't login into this user to publish the module manually" (and I'm pretty sure we've done that with some modules anyway).

Either way, we can change our policy or create a new user for each module (saving the credentials on 1password/lastpass), which is a pain but would prevent the "token can publish any module" security concern.

[Trott]

I'm 👍 on this, and would also happily 👍 something that clarified the policy.

[mhdawson]

It was the ""you shouldn't login into this user to publish the module manually" part that was intended.

I think for auto publishing this makes sense, and I don't see why we'd create another user. I'm +1 to this as well.

[joyeecheung]

saving the credentials on 1password/lastpass

Don't we do that sort of thing with the secrets repo using dotgpg?

[mmarchini]

Don't we do that sort of thing with the secrets repo using dotgpg?

Yes but that also makes it harder of us to manage access to secrets, which is why I also opened nodejs/build#2647.

[bnb]

+1

[mhdawson]

@mmarchini do you want to get together to create the required token. I can access the nodejs-foundation account but would like to do it together so that we create what you need (which I'm not 100% sure I'd get right on my own).

[targos]

@mhdawson

1. Go to https://www.npmjs.com/settings/nodejs-foundation/tokens/new
2. Enter the nodejs-foundation account's password
3. Name: NPM_TOKEN secret to publish node-core-utils ?
   Type: "Automation"
   Click "Generate Token"
4. Copy the generated token (it starts with "npm_")
5. Go to https://github.com/nodejs/node-core-utils/settings/secrets/actions/new
6. Name: NPM_TOKEN
   Value: the token you copied at 4.
   Click "Add secret"

[mhdawson]

@targos ok, done but not sure that will be enough since 2FA is enabled.

[targos]

It should be fine. Automation tokens bypass 2FA. Thank you!

[targos]

@targos ok, done but not sure that will be enough since 2FA is enabled.

Looks like you were right: https://github.com/nodejs/node-core-utils/runs/5885136215?check_suite_focus=true

I don't know what's blocking it, though. I have setup automation tokens without issues before (on an account that has 2FA enabled too).

[targos]

I checked on https://www.npmjs.com/package/node-core-utils/access and the package doesn't enforce 2FA so I really don't know what's wrong.

[targos]

nodejs-foundation also has access:

[targos]

@mhdawson are you sure that you didn't create a publish token instead of an automation token?

[mhdawson]

@targos I thought I followed your instructions above exactly. What would be the difference between the two (ie what did I miss in the instructions above that would result in a publish instead of automation token). Once I understand that I can try again.

[aduh95]

See https://github.blog/changelog/2020-10-02-npm-automation-tokens/

An automation token will bypass the 2FA when publishing, while the publish token will not:

[mhdawson]

@aduh95 k thanks, updated and I should have it correct this time.

[targos]

It worked this time: https://github.com/nodejs/node-core-utils/runs/6081510688?check_suite_focus=true
Thanks!