Better Authentication Options

[NickLiffen]

Hey 👋 Firstly, love the GitHub Action! Really nice 👍

The one thing that I don't like about this action though is the section: creating-the-configuration-on-your-local-machine.

Is there any way to generate this programmatically vs having a user input. We want to use this action but we would like to rotate this credential every 24 hours for security reason. We would like to create a custom GitHub Action that creates the credential and updates the GitHub Secret which THIS action would be using for authentication (hopefully that makes sense).

In a perfect world, I would just send you my Artifactory URL and Access Token.

Also:

jfrog rt c

This is deprecated in the latest CLI.

I think it would be good to just pass in the Artifacotry URL and Artifactory Access Token.

Additionally, the reason why I want to use an access token is I would like to scope the access token to just be what I want ti to be, vs everything 👍

Would love to discuss thoughts and ideas around this 💯

[yahavi]

Thanks for your feedback, @NickLiffen! Configuring the "JF_ARTIFACTORY_" server token is the easiest and most recommended way to config the Artifactory credentials. However, it is not mandatory. You still have the option to use the CLI as usual:

Example 1:

- uses: jfrog/setup-jfrog-cli@v1
- run: |
    jfrog rt ping --url=https://<jfrog-platform-url>/artifactory --access-token=${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}

Example 2:

- uses: jfrog/setup-jfrog-cli@v1
- run: |
    jfrog c add kermit --artifactory-url=https://<jfrog-platform-url>/artifactory --access-token=${{ secrets.RT_TOKEN }}
    jfrog rt ping

One more thing - jfrog rt c is decrecated in favour of jfrog c add. Read more about this command under Authentication. I updated the Setup JFrog CLI documentation - thanks!

Please let me know if that helped.

[NickLiffen]

@yahavi I agree that for most people this would be okay 👍

The thing about this command:

  jfrog rt ping --url=https://<jfrog-platform-url>/artifactory --access-token=${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}

Is I would have to run this with every command I run 😢 Which is a little bit messy. Also, across 100 repos using this, it just starts to not get very modular IMO.

We could create something custom in the company that I work for which does what we are asking, but I just didn't know if there was appetite at the broader community to have the OPTION (not mandatory), to just do a one-time setup of:

- uses: jfrog/setup-jfrog-cli@v1
  env:
    JF_ARTIFACTORY_SERVER_URL: ${{ secretsJF_ARTIFACTORY_SERVER_URL }}
    JF_ARTIFACTORY_ACCESS_TOKEN: ${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN}}

What that means is in another job I could be rotating the JF_ARTIFACTORY_ACCESS_TOKEN every X hours, meaning we are fully secure.

The problem is, even though GitHub makes it really hard to console.log() GitHub Secrets, it's 100% possible with hacky solutions which I don't like, but it's done. So if we don't rotate it, someone could get it out of Secrets and use it. That is why we need to rotate if that makes sense 👍

If this isn't something you are interested in then it's fine, we are happy to build something custom, just wanted to ask here first 👍

[yahavi]

@NickLiffen, if I not misunderstood you, you can easily create the server token In the action that updates Artifactory's token. Something like that:

- uses: jfrog/setup-jfrog-cli@v1
- run: |
    # Create a new access token
    export NEW_ACCESS_TOKEN=`jfrog rt atc <artifactory-username> --url=${{ secrets.JF_ARTIFACTORY_SERVER_URL }} --access-token=${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN }} | jq '.access_token' -r`

    # Configure Artifactory server
    jfrog c add kermit --artifactory-url=${{ secrets.JF_ARTIFACTORY_SERVER_URL }} --access-token=$NEW_ACCESS_TOKEN

    # Create a new server token
    export NEW_TOKEN=`jfrog c export kermit`

Please let me know if that helped.

[NickLiffen]

Agreed 👍 But look how messy that is 😢 This is what we are trying to get away from. It's a lot of characters of code where someone could go in and change something which breaks the auth process. IF someone was to go in and accidently change something, it stops working.

It sounds like you aren't open to this suggestion, (which is fine), we are happy to go and build our own action 👍 Appreciate the conversation 💯

[NickLiffen]

I also don't think I am explaining myself very well, to be honest, 🙃

I would like to have a workflow that has a one-time Artifactory setup step, then multiple steps after that, that don't need to worry about anything config related, it would use the one-time setup process. E.G

- uses: jfrog/setup-jfrog-cli@v1
  env:
    JF_ARTIFACTORY_SERVER_URL: ${{ secretsJF_ARTIFACTORY_SERVER_URL }}
    JF_ARTIFACTORY_ACCESS_TOKEN: ${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN}}

That would be the setup, then I could run any command after that line, like this:

- run: |
    jfrog rt ping

This token here: ${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN}} we would like to be set the GitHub Organisation layer. This token would have read access to certain enterprise repos. Now, as it's at the org level, we need to be careful on this token. So, in a completely separate GitHub Repo, I will use the Artifactory REST API to create a new token and update the GitHub Org Secret with the new Access Token.

I would then put this GitHub action on a cron to run X times every day.

As it's at the org level, it means 1000's of repos can reference this one token, whilst staying secure, as the token is scoped to groups, and also if someone managed to get it out of actions, it is only valid for X amount of time. If that makes sense.

We can't ask a 1000's repos to do this, so we will have 1 secret at the GitHub Org Level. We will have 1 separate locked off GitHub Repo that updates this org level secret every X hours. Then set the org level secret so every repo in the org can use it.

Hopefully that makes sense 👍

[rkustner]

Maybe the PR I recently created could help creating the feature that is requested here? https://github.com/jfrog/setup-jfrog-cli/pull/43

I have it working in our private action but would make our devs really happy if they could use it with this public version of the action.

[eyalbe4]

@rkustner - I added a question for you inside your PR. @NickLiffen - Are you suggesting that we create a new and separate action for refreshing the token periodically?

[sverdlov93]

HI @NickLiffen This https://github.com/jfrog/setup-jfrog-cli/pull/76 is merged and adds the following functionality. Looking forward to your feedback on it. I will update this thread once the next release will be out.

Storing the connection details using separate environment variables

You can set the connection details to your JFrog Platform by using one of the following environment variables combinations:

1. JF_URL (no authentication)
2. JF_URL + JF_USER + JF_PASSWORD (basic authentication)
3. JF_URL + JF_ACCESS_TOKEN (authentication using a JFrog Access Token)

You can use these environment variables in your workflow as follows:

- uses: jfrog/setup-jfrog-cli@v2
  env:
    # JFrog platform URL (for example: https://acme.jfrog.io) 
    JF_URL: ${{ secrets.JF_URL }}
    
    # Basic authentication credentials
    JF_USER: ${{ secrets.JF_USER }}
    JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
    
    # JFrog platform access token (if JF_USER and JF_PASSWORD are not provided)
    # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
- run: |
    jf rt ping

[sverdlov93]

Hi @NickLiffen, Setup JFrog CLI 2.4.0 is released and includes the above feature. We'd appreciate your feedback on that.