CI

[mymindstorm]

Example build: https://github.com/mymindstorm/argon2-browser/runs/201045586

You probably need to enroll here if you plan to merge this.

Can also auto-publish to npm if wanted: https://github.com/marketplace/actions/setup-node-js-for-use-with-actions

[antelle]

Hi! Thanks! 🎁 I think that CI without tests and without publishing to npm (not possible because of 2FA) is a bit strange thing, but it makes sense to write some tests. I'll add tests and merge this PR once I get access to GitHub actions.

Would you mind if I use setup-emsdk from a fork? I don't want my build to depend on an unknown repo to keep me and users of my lib secure, hope you understand.

Also please delete all changes in the output.

[mymindstorm]

No problem.

I think that CI without tests and without publishing to npm [...] is a bit strange thing, but it makes sense to write some tests.

Auto publishing is a bit crazy. I was thinking something along the lines of if you merge to a release branch CI does: build, commit build, git tag, then publish the new tag to npm. That way all the artifacts come from the build, and you can add dist to your gitignore since you won't need to mess with the copy on github manually.

(not possible because of 2FA)

It uses a token, so you don't have to enter credentials the normal way. I'm pretty sure all you have to do is go to repository settings => secrets => set NODE_AUTH_TOKEN to an NPM token and tell npm about that env var.

Would you mind if I use setup-emsdk from a fork? I don't want my build to depend on an unknown repo to keep me and users of my lib secure, hope you understand.

I don't mind. I want to use your library, but using files compiled by something that isn't automated is really iffy to me, hence this PR.

Re: ensuring security / authenticity of setup-emsdk, right now I have it referencing a tag, but you can have it directly reference a commit (E.g. mymindstorm/setup-emsdk@476bc50c4df2db1a3e9d72df0885c43ae0e5a3d4). That should be less of a hassle than having to fork it, though I'm not sure if it's possible to manipulate commit hashes.

Also please delete all changes in the output.

Sorry about that, I must've accidentally committed those.

[antelle]

if you merge to a release branch CI does: build, commit build, git tag, then publish the new tag to npm

Usually it's published when tags are added.

It uses a token, so you don't have to enter credentials the normal way.

I have 2FA on publish, not only on login, don't want to disable it.

files compiled by something that isn't automated is really iffy to me

I can imagine. Actually, I can write a script that will download the latest artifact and publish it from there, so that it can be compared to what's generated on CI.

not sure if it's possible to manipulate commit hashes.

Yes it is, in own repos force push is enabled.

Thanks! 🎁 I've added tests meanwhile, waiting for access to GitLab actions.

[antelle]

I noticed that emsdk is downloaded from master: https://github.com/mymindstorm/setup-emsdk/blob/master/src/main.ts#L22

~Most likely it should install the latest stable version, or a version defined somewhere.~
Oops, disregard this, that's emsdk, not the emscripten version.

[mymindstorm]

It uses a token, so you don't have to enter credentials the normal way.

I have 2FA on publish, not only on login, don't want to disable it.

I've never published to NPM before, you'd think that using a token would bypass that requirement.

files compiled by something that isn't automated is really iffy to me

I can imagine. Actually, I can write a script that will download the latest artifact and publish it from there, so that it can be compared to what's generated on CI.

I'll add a file with checksums to the artifacts to help with that.

not sure if it's possible to manipulate commit hashes.

Yes it is, in own repos force push is enabled.

Git hashes include the time. Couldn't the worst that do break any builds using the affected hash? While researching this I also found out that GitHub is running detection against SHA-1 collision attacks. Ref

[antelle]

I'll add a file with checksums to the artifacts to help with that.

Makes sense.

Right, it's hardly possible to modify a commit hash without generating collisions in content, so using a commit-sha should be fine.

Do you know how long it takes to get access to GitLab Actions? I've signed up there of course, but not sure how fast it is.

[mymindstorm]

I have no idea. This is the first time I've actually used Github actions, and I've been in the limited beta for almost a year now so I assumed it was just an opt-in thing.

If it doesn't go through within a few days, I bet support could enroll you.

[antelle]

It's still in beta, it says I'm in the waiting list, let's see how fast they approve requests. Same thing with GitHub sponsors, I'm still on the waiting list there too.

[antelle]

I'm very sorry to close this, but while GitLab is still thinking about approving my membership I've setup CI on Travis: https://travis-ci.org/antelle/argon2-browser. Now I don't see any sense migrating it to somewhere else because it does the job. Binaries in v1.10.0 are already received from there. Build artifacts are also available on BinTray: https://bintray.com/antelle/generic/argon2-browser and sha is logged during build, so that everyone can verify that they're not modified.