Open nikolay opened 3 months ago
Thank you for your proposal. I'm not familiar with 1Password CLI Shell Plugin, but this issue means installing 1Password CLI Shell Plugin via aqua? I'll look into how to install plugins.
aqua doesn't support some plugin mechanism, so I'm not sure if aqua can support 1Password CLI Shell Plugin. https://aquaproj.github.io/docs/products/aqua-registry/contributing#aqua-cant-support-some-tools-plugin-mechanism
I read the document of 1Password CLI Shell Plugin, but I'm not sure what aqua should do. We need more details.
Oh, I see! This issue means the 1Password CLI Shell Plugin for aqua, which passes GitHub access token to aqua via 1Password.
Yeah, @suzuki-shunsuke, sorry for not being clear. I guess, you support AQUA_GITHUB_TOKEN
- I would say it makes sense to pass that and not the generic GITHUB_TOKEN
.
I'm concern about the overhead of the plugin. I'm not sure about the detail of the plugin, but if the plugin is executed every time aqua is executed, maybe the overhead affects the user experience. When you execute tools installed by aqua, aqua is executed.
On the other hand, the plugin would improve the security, and the performance should be measured rather than imagined.
I'm not sure about the detail of the plugin, but if the plugin is executed every time aqua is executed, maybe the overhead affects the user experience.
If aqua supports the lazy load of a GitHub access token, this issue would be solved.
lazy load
means aqua loads a GitHub access token only when aqua really needs it.
I found an interesting library. It would be nice if aqua can get GitHub Access token from not only 1Password but also other secret stores. https://github.com/99designs/keyring
@suzuki-shunsuke Yes, that library is used by the famous https://github.com/99designs/aws-vault and https://github.com/common-fate/granted and although there are some more actively developed equivalents, the one you mention is the only one in Go supporting Windows.
https://github.com/99designs/keyring The last update was two years ago. https://github.com/keybase/go-keychain : For macOS keychain https://github.com/zalando/go-keyring : This is actively maintained and supports Windows https://github.com/danieljoos/wincred : Go wrapper around the Windows Credential Manager API functions
99designs/keyring works well on macOS.
https://gist.github.com/suzuki-shunsuke/58961369fbe13c76b3052c6ddc0a3893
$ aqua token set [-stdin]
> ***
$ aqua token remove
$ aqua token get # optional
Hmm. 99designs/keyring doesn't work on macOS without CGO.
CGO_ENABLED=0 go build -o bin/get-nocgo get.go
$ ./bin/get-nocgo
2024/10/11 16:12:22 set a key: No directory provided for file keyring
https://github.com/aquaproj/aqua/blob/4e08dea281d1adad7b88c19dbef99c134857b2e6/.goreleaser.yml#L15
https://github.com/zalando/go-keyring/issues/64#issuecomment-1793669498 describes the pros and cons of CGO well. It's hard to make a decision. We don't want to depend on CGO, but access to macOS keychain via CGO is securer.
Related:
📝 GitHub CLI uses zalando/go-keyring.
https://github.com/cli/cli/blob/b91dab44566a44e5f8e43c0cc83724e574320536/go.mod#L45
📝 1Password has a SDK for Go.
Hi @nikolay , sorry to bother you. Do you usually use Linux or Windows? If so, could you help us verify the feature https://github.com/aquaproj/aqua/pull/3174 ? I usually use macOS so it's difficult to verify the feature on Linux and Windows.
@suzuki-shunsuke No, I'm only on macOS, but I can try on Linux and Windows as well.
Thank you!
Feature Overview
https://developer.1password.com/docs/cli/shell-plugins/contribute/
Why is the feature needed?
Otherwise, the
AQUA_GITHUB_TOKEN
orGITHUB_TOKEN
should always be set and exposed in the shell.Workaround
No response
Example Code
No response
Note
No response