Open tgriesser opened 3 years ago
Can you share the exact error that you encountered?
A good place to start looking into would be: https://github.com/prisma-labs/dripip/blob/121be2334389ab80c64f8990cc331e155e2a2d9d/src/lib/pacman.ts#L36
To help work on this I've enabled npm 2fa for publishing on my account. Here is the error I now get:
$ dripip preview
Error: The following command failed to complete successfully:
yarn publish --tag next --no-git-tag-version --new-version 0.10.1-next.1
It ended with this exit code:
1
This underlying error occured (null = none occured):
null
It received signal (null = no signal received):
null
It output on stderr (null = not spawned in pipe mode):
error Couldn't publish package: "Can't answer a question unless a user TTY"
It output on stdout (null = not spawned in pipe mode):
Not sure yet but guessing some possible solutions:
-- edit
Re 3: I think a flag is weird for OTP, it has to be an interactive thing, flag gives little value over prompt
Re 4: Yep doesn't make sense, too transient.
With 2fa enabled here is the login flow:
❯ npm login
Username: dripip-2fa
Password:
Email: (this IS public) dripip.npm@gmail.com
Enter one-time password from your authenticator app: 437488
Logged in as dripip-2fa on https://registry.npmjs.org/.
Some official info here https://docs.npmjs.com/about-two-factor-authentication
With 2fa enabled here is the publish flow:
❯ npm publish
npm notice
npm notice 📦 dripip-system-tests@0.0.0-test.2fa.2
npm notice === Tarball Contents ===
npm notice 0 index.js
npm notice 255B package.json
npm notice === Tarball Details ===
npm notice name: dripip-system-tests
npm notice version: 0.0.0-test.2fa.2
npm notice package size: 300 B
npm notice unpacked size: 255 B
npm notice shasum: 450fcb9886ffba6c2d33d756c438ee946bd400a9
npm notice integrity: sha512-JuIEwOxVr3CBl[...]Ynz4oHpiq7fPA==
npm notice total files: 2
npm notice
This operation requires a one-time password.
Enter OTP: 352695
+ dripip-system-tests@0.0.0-test.2fa.2
My conclusion is that when 2fa is enabled we should forward the tty to the user.
I don't think this 2fa flow is designed for CI workflows. There is no tty in CI.
Since the OTP is ephemeral, this isn't something that could really ever be stored as an environment variable.
Therefore bringing 2fa support to dripip is about support its manual use by users, rather than unblocking any issues in CI.
I think when we resolve this issue we need to qualify what we mean when we say we support 2fa.
I also think this feature isn't a top priority since CI publishing is a best practice and what dripip is designed for first.
Still manual publishing is an important escape hatch. And I think it feels uncomfortable to use a tool that won't let you go manual if ever you need to.
Tried to use this on Nexus at one point, and was unable to publish because I have 2FA on my npm account. Happy to submit a patch for it, if you have any pointers of where this change should be made that'd be super helpful.