conda-forge.github.io icon indicating copy to clipboard operation
conda-forge.github.io copied to clipboard
verified publisher icon conda-forge

Feedstock tokens per CI

Open isuruf opened this issue 3 years ago • 5 comments

Currently the feedstock token is the same for each CI and is only stored on existing CI. This is problematic when adding a new CI as we have to reset all the tokens for all CI as we don't have the token in plain text to add to the new CI.

This requires a change to conda-smithy. To make this easier we can keep using the global token if there's no CI specific token.

cc @beckermr, @jaimergp

isuruf avatar Mar 23 '22 18:03 isuruf

Thanks for making this one!

One comment here that I did not store any tokens in plain text on the conda-forge side on purpose to increase security. The tokens are salted+hashed and then stored in a private place.

beckermr avatar Mar 23 '22 18:03 beckermr

We'll also need corresponding changes in the ci-setup scripts repo and possibly the webserver.

beckermr avatar Mar 23 '22 18:03 beckermr

We'll also need corresponding changes in the ci-setup scripts repo and possibly the webserver.

They are all handled by conda-smithy right?

isuruf avatar Mar 23 '22 18:03 isuruf

Validation depends on how the tokens are stored: https://github.com/conda-forge/conda-forge-webservices/blob/main/conda_forge_webservices/feedstock_outputs.py#L35

We could/should clean this up so we don't have these coordination issues.

beckermr avatar Mar 23 '22 18:03 beckermr

I wrote that since verifying via an https request is faster. We should upstream it back to smithy.

beckermr avatar Mar 23 '22 18:03 beckermr