Re: [echidna] token limitation to travis-ci and GitHub actions only starting from Feb 1, 20201

And note that Bikeshed should be updated this week to allow passing a
token to `bikeshed echidna`, rather than requiring your credentials,
so you *can* safely use it in your CI workflow.

On Fri, Jan 22, 2021 at 3:21 AM Denis Ah-Kang <denis@w3.org> wrote:
> As you might already know, Echidna currently supports 2 ways of
> submitting documents:
> 1/ URL or manifest [1] that requires the URL of the document/manifest
> and a token (provided by a W3C team contact)
> 2/ tar file [2] submitted by POST with your W3C credentials
>
> While the second method can be useful if your document isn't
> accessible on the web, e.g. bikeshed produces snapshots
> locally, it cannot be safely integrated in a continuous
> integration workflow, simply because you want to keep your
> W3C credentials private.
>
> To solve that issue, we decided to allow the use of tokens
> for both methods but *only* for requests coming from travis-ci
> and GitHub actions [3], to limit potential token leaks.
> I'm expecting to deploy that change on *Feb 1, 2021*.
>
> This means if you want to manually trigger a request to
> echidna, you will have to submit your document using the tar
> method and your W3C credentials. [1] will no longer work
> outside travis-ci or GitHub actions. Of course, if you need
> help switching methods, you can email me or ping me on irc
> (#pub).
>
> Also, if your repository is already configured with Travis
> as described in the wiki [4], then you don't have to do
> anything.
>
> Let me know if you have any concern or if something isn't
> clear.
>
> Denis
>
>
>
> [1] https://github.com/w3c/echidna/wiki/How-to-use-Echidna#url-or-manifest
> [2] https://github.com/w3c/echidna/wiki/How-to-use-Echidna#tar-file
> [3] https://github.com/w3c/echidna/issues/492
> [4] https://github.com/w3c/echidna/wiki/Setting-up-Echidna-as-a-GitHub-hook

Received on Monday, 1 February 2021 17:42:27 UTC