Re: [echidna] token limitation to travis-ci and GitHub actions only starting from Feb 1, 20201 from Denis Ah-Kang on 2021-02-01 (spec-prod@w3.org from January to March 2021)

From: Denis Ah-Kang <denis@w3.org>
Date: Mon, 1 Feb 2021 16:49:25 +0400
To: Spec-prod <spec-prod@w3.org>, "Tab Atkins Jr." <jackalmage@gmail.com>, sidvishnoi8@gmail.com
Cc: Philippe Le Hegaret <plh@w3.org>
Message-ID: <07e37ff6-8ac1-bcd2-e666-321eeac8c9fe@w3.org>

Hi,

The new version of Echidna has now been deployed.
As of today, the publication token is no longer linked to a
"source" but Echidna will check that the requests are coming
from travis-ci or GitHub Actions. This will allow the
publication of specifications even if they are not
publicly available on the web, and without exposing the W3C
credentials in a CI configuration.

If you are already using travis or GitHub actions to publish
your documents, you don't have anything to do. Similarly,
bikeshed command [1] should still work as before.

The only persons who will be affected by that update are
the ones submitting manual requests with a token. In this
case, they will have to switch to the tar method and
provide their W3C credentials instead of relying on the token.
If you have trouble switching methods, feel free to send
me an email and I'll help you.

I have also updated the echidna wiki [2] to describe the
changes so if something is not clear, let me know.

Regards,

Denis

[1] https://tabatkins.github.io/bikeshed/#cli-echidna
[2] https://github.com/w3c/echidna/wiki

On 1/22/21 3:20 PM, Denis Ah-Kang wrote:
> Hi all,
> 
> As you might already know, Echidna currently supports 2 ways of
> submitting documents:
> 1/ URL or manifest [1] that requires the URL of the document/manifest 
> and a token (provided by a W3C team contact)
> 2/ tar file [2] submitted by POST with your W3C credentials
> 
> While the second method can be useful if your document isn't
> accessible on the web, e.g. bikeshed produces snapshots
> locally, it cannot be safely integrated in a continuous
> integration workflow, simply because you want to keep your
> W3C credentials private.
> 
> To solve that issue, we decided to allow the use of tokens
> for both methods but *only* for requests coming from travis-ci
> and GitHub actions [3], to limit potential token leaks.
> I'm expecting to deploy that change on *Feb 1, 2021*.
> 
> This means if you want to manually trigger a request to
> echidna, you will have to submit your document using the tar
> method and your W3C credentials. [1] will no longer work
> outside travis-ci or GitHub actions. Of course, if you need
> help switching methods, you can email me or ping me on irc
> (#pub).
> 
> Also, if your repository is already configured with Travis
> as described in the wiki [4], then you don't have to do
> anything.
> 
> Let me know if you have any concern or if something isn't
> clear.
> 
> Denis
> 
> 
> 
> [1] https://github.com/w3c/echidna/wiki/How-to-use-Echidna#url-or-manifest
> [2] https://github.com/w3c/echidna/wiki/How-to-use-Echidna#tar-file
> [3] https://github.com/w3c/echidna/issues/492
> [4] https://github.com/w3c/echidna/wiki/Setting-up-Echidna-as-a-GitHub-hook
>

Received on Monday, 1 February 2021 12:49:40 UTC