W3C home > Mailing lists > Public > spec-prod@w3.org > January to March 2021

[echidna] token limitation to travis-ci and GitHub actions only starting from Feb 1, 20201

From: Denis Ah-Kang <denis@w3.org>
Date: Fri, 22 Jan 2021 15:20:53 +0400
To: Spec-prod <spec-prod@w3.org>, "Tab Atkins Jr." <jackalmage@gmail.com>, sidvishnoi8@gmail.com
Cc: Philippe Le Hegaret <plh@w3.org>
Message-ID: <65117e36-9886-bf50-6835-d15ac863f653@w3.org>
Hi all,

As you might already know, Echidna currently supports 2 ways of
submitting documents:
1/ URL or manifest [1] that requires the URL of the document/manifest 
and a token (provided by a W3C team contact)
2/ tar file [2] submitted by POST with your W3C credentials

While the second method can be useful if your document isn't
accessible on the web, e.g. bikeshed produces snapshots
locally, it cannot be safely integrated in a continuous
integration workflow, simply because you want to keep your
W3C credentials private.

To solve that issue, we decided to allow the use of tokens
for both methods but *only* for requests coming from travis-ci
and GitHub actions [3], to limit potential token leaks.
I'm expecting to deploy that change on *Feb 1, 2021*.

This means if you want to manually trigger a request to
echidna, you will have to submit your document using the tar
method and your W3C credentials. [1] will no longer work
outside travis-ci or GitHub actions. Of course, if you need
help switching methods, you can email me or ping me on irc
(#pub).

Also, if your repository is already configured with Travis
as described in the wiki [4], then you don't have to do
anything.

Let me know if you have any concern or if something isn't
clear.

Denis



[1] https://github.com/w3c/echidna/wiki/How-to-use-Echidna#url-or-manifest
[2] https://github.com/w3c/echidna/wiki/How-to-use-Echidna#tar-file
[3] https://github.com/w3c/echidna/issues/492
[4] https://github.com/w3c/echidna/wiki/Setting-up-Echidna-as-a-GitHub-hook
Received on Friday, 22 January 2021 11:21:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 22 January 2021 11:21:03 UTC