Closed SanderDevisscher closed 4 months ago
I think one option is to store the password and username in the sys env, similar to {rgbif}
.
So the flow would be:
If there is no token/username/pwd in the env, then prompt the user, and if there is, then try to login/continue, if it fails, prompt the user anyway. You could then pass the username and password as environment variables via github secrets.
Alternatively, we could use a system keyring to do this, similar to movebank. https://gitlab.com/bartk/move2/-/blob/main/R/movebank_credentials.R
Using the workflow like rgbif is fine for me. I allready us it for github actions.
Are you using github secrets?
yes
Ah well, storing things like a password in a sys env isn't really a great idea. But it's probably safe enough for us for now. Any rogue software/agent can just take off with the credentials though.
I've been putting off improving this in both {etn}
and {rgbif}
to be honest because it'll break a lot of user scripts and I haven't used keyring much.
All of this to say, I agree with going the same route as {rgbif}
, but we might want to revisit this at some point. Our data is pretty sensitive, and we should put in effort to avoid leaks.
I've added this as the final development for the current milestone "get a tibble out", as you need it for github actions workflows
@PietrH can this be implemented so I can complete my github actions?
This is an important design decision to keep in mind, can you make an issue for further discussion?
If we retrieve personal information via the API, we might need to make sure no data is stored unencrypted on the runner or in artefacts, and we might be obliged to process data in the EU only. I'm not sure on the specifics but we need to thread lightly. We are capable of using our own custom runners via AWS in a EU region, but it'll take a bit of doing and have a slight cost.
Originally posted by @PietrH in https://github.com/inbo/vespawatchr/issues/6#issuecomment-1814126821