Closed rit001 closed 1 year ago
Hello Friends 👋
The day has finally come 🎉 ! As we have alluded to in a few spots in this repository, we have been working on a new integration for Jira with CircleCI to replace this outdated orb which has historically been difficult for us to update. Today we are excited to announce Jira Integration V2 is finally LIVE!
New Docs: https://circleci.com/docs/jira-plugin/ Orb v2: https://circleci.com/developer/orbs/orb/circleci/jira Atlassian Forge App: https://github.com/CircleCI-Public/circleci-for-jira
Simple question, what is the current status of this ORB and the supporting infrastructure it depends on (Jira add-on and API layer)? Having just tried to add it to my build process the following has become rather clear
All the docs are written by the developers of the solution and so are all written from the point of view that the reader already knows how to do something with a full understanding of the context for any provided detail.
The whole thing is built around using API 1.1 endpoints - we have spent the last 18 months being told that such endpoints would be going away 'soon'.
The endpoints are not documented in the docs - how can someone do a security audit of API when a number of the possible calls are hidden from sight? Especially as personal tokens are used (see below).
Security is based on personal tokens which can then become visible to anyone who has access to the config.yml and the build output. Plastering '*' everywhere is not security - it is obscurity at best.
As a side issue there is a lack of constancy with the way that CircleCI seems to author ORBs, with parameter exposing and handling making it hard to work with ORBs. This orb and the Slack orb are great examples, of where they have to deal with the same issue of knowing which environment variable holds the token, but they do it in different ways.
Lastly, as a wider issue, the security hit that CircleCI took at the start of the year may have caused a number of customers to consider how and where they store secrets as the default local environment lists within CircleCI may not meet certain business requirements. The problem is that much of the CircleCI documentation still considers the local store the only valid option.