ssbarnea
commented
2 years ago @prashantvc Any chance you can have a look at this? If you want I am more than happy to also have a call and share our experience, maybe we can find some solutions to improve the publishing and maintenance experience.
Describe the bug Currently any token with publish rights can publish any extension under the same organization. It is impossible to generate a token with permissions for a single extension.
Expected behavior
Be able to generate tokens that are limited to a single organization and with a life-span of one year or even more. Those should allow use in CI/CD pipelines.
Additional context
Keep in mind that there are publishers with lots of extensions:
Is is high likely that publishers with more than a couple of extensions have different teams developing extensions spanning different groups inside the company, so they will be unlikely to use the same release process/tools for automating publishing of new versions or even for managing the marketplace presence.
It is a security risk to use tokens that can cross-publish as in case a single release pipeline (or in case of manual publishing a release manager credentials) are exposed, a total mayhem can happen as a malicious user could update any of those extensions, not only one.
That is is why it makes perfect sense to allow scope-limited tokens, limited to a single extension instead of full access to the entire publisher.