Packagist now has two types of tokens - the API Token, and the "Safe" API Token. This is because the standard API token can be used to create packages (which we currently use it for), which if compromised, could result in a supply-chain attack. However the "Safe" API token can only be used to update existing packages, and if an attacker gets ahold of it, it would not expose a large threat vector.
In order to take advantage of these finer-grained token permissions, we can add a PACKAGIST_SAFE_TOKEN env var to our repository creation job, and when set, uses this token to configure the new package repository git hooks.
We would also want to add a new --packagist-safe-token option to the SplitCommand console command.
Packagist now has two types of tokens - the API Token, and the "Safe" API Token. This is because the standard API token can be used to create packages (which we currently use it for), which if compromised, could result in a supply-chain attack. However the "Safe" API token can only be used to update existing packages, and if an attacker gets ahold of it, it would not expose a large threat vector.
In order to take advantage of these finer-grained token permissions, we can add a
PACKAGIST_SAFE_TOKENenv var to our repository creation job, and when set, uses this token to configure the new package repository git hooks.We would also want to add a new
--packagist-safe-tokenoption to theSplitCommandconsole command.