bendrucker
commented
3 years ago @wata727 FYI, started work on this since we're using mostly CircleCI at @takescoop and I want to make it easier to drop TFLint into CI workflows. While I find orbs a lot more limiting and clunky than GitHub Actions' approach, CircleCI has a sizable market share and for end users orbs are still a powerfully simple and concise way to add functionality.
I've installed CircleCI for the terraform-linters org and enabled this project:
https://app.circleci.com/pipelines/github/terraform-linters/tflint-orb
CircleCI relies on GitHub for authentication but has its own token system for its API. So I authenticate with CircleCI via GitHub on the web, but to use CircleCI's API I issue a token for myself. You need a token to publish orbs and the identity attached to that token must have administrative access to the GitHub organzation.
https://discuss.circleci.com/t/automating-orb-publishing/26870
A maintainer with that access can use their own token, but that comes with risk of token theft or breakage if the maintainer leaves the org or just accidentally revokes the token. Circle deals with the former by generating CI configuration with a manual approval block step, but that doesn't address the risk of revocation.
Alternatively, we can create a GitHub machine user with that same access. That's how I set things up for @takescoop. Creating a privileged machine user isn't great either, but it's the least bad option. We would need a shared email inbox to back that machine user. I use Google Groups at work for this and a public @googlegroups.com address should work fine here.
Leaving things here until I next have time to work on this but wanted to share an update and leave notes on what's done and to do.
wata727
abemedia
Publishing orbs requires a CircleCI organization, creating an orb namespace, and providing a CircleCI token to CI for publication.