Closed targos closed 2 years ago
Merging #511 (1bd61fe) into main (5e85166) will increase coverage by
0.06%
. The diff coverage isn/a
.
@@ Coverage Diff @@
## main #511 +/- ##
==========================================
+ Coverage 84.10% 84.16% +0.06%
==========================================
Files 37 37
Lines 4051 4067 +16
==========================================
+ Hits 3407 3423 +16
Misses 644 644
Impacted Files | Coverage Δ | |
---|---|---|
lib/auth.js | 87.60% <0.00%> (+1.88%) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update 5e85166...1bd61fe. Read the comment docs.
This would remove 2FA when we publish. Are we ok with that?
npm now has automation tokens now, so we don't have to disable 2FA requirements on the package. AFAIU the only risk we would have is that someone with write access to this repo pushes something to steal the token?
We still drop 2FA for our "main" publish workflow (assuming the automation becomes the main workflow). It's not ideal IMO but probably low risk enough that we can try it?
GitHub Actions now have environment protection rules and environment secrets: https://github.blog/changelog/2020-12-15-github-actions-environments-environment-protection-rules-and-environment-secrets-beta/ Maybe that can be used to protect an npm token and/or only allow a subset of collaborators to publish the package?
I will reimplement the change differently if it's likely to land.
Updated. We still need to setup an npm automation token before merging this. Who would be able to do that?
The NPM_TOKEN secret is installed. Would you like to review again?
Labeled "do not land" because we need to setup the npm token if this is accepted.