step-security / wait-for-secrets Goto Github PK
View Code? Open in Web Editor NEWPublish from GitHub Actions using multi-factor authentication
License: Apache License 2.0
Publish from GitHub Actions using multi-factor authentication
License: Apache License 2.0
@arjundashrath, please take this up.
I have added the TODO statements in the code. The API to be called and expected response is also added in the comments.
If you have any questions, please let me know.
We should use id-token
to authenticate the job to our API.
Use getIDToken
from actions toolkit for this. Send the token in the Authorization
header.
I will create a separate issue in the API to validate the token and get the job, workflow, and repo details from the id-token
.
Hello, thanks for this GitHub Action package, I use it in a few of my open source projects, however I'm getting a warning from GitHub Action that Node16 are deprecated and eventually migrated (or fail). Below is the warning I'm currently receiving after an NPM release using this action
[deploy-npm-latest](https://github.com/lerna-lite/lerna-lite/actions/runs/8530155212/job/23367421675)
Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: step-security/wait-for-secrets@v1.
For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/
Currently secrets are not masked when written to log.
Use core.setSecret
to inform GitHub Actions that the value is a secret.
https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-setting-a-value
Currently we print the URL every 10 seconds:
Line 64 in cca2533
You can see this here:
https://github.com/step-security/secure-workflows/actions/runs/3050195152/jobs/4917035695#step:7:12
The change is to only print the URL once and then print a .
every 10 seconds. This will reduce size of the build log.
In addition,
We need to think more about how to do this, but it would be interesting to provide the GitHub token of the user using the browser and publish a release or call GitHub API using it.
For example, currently, the wait-for-secrets
Action is released using a PAT. PAT is created manually and entered during the workflow. After the workflow is completed, the PAT is deleted.
It would be nice if this process could be made simpler.
wait-for-secrets
times out after 10 minutes if no secrets are provided. We should make this time-out interval configurable using an action input.
Checkout the feature here: https://github.com/8398a7/action-slack
The goal is to allow setting a SLACK_WEBHOOK_URL
as an action input. Users of this action can then specify this value to send the url to Slack.
After the secrets are entered, the UI shows a blank page.
We need to update the page to show that secrets have already been entered and show some basic details, and link back to the workflow run.
Ideally, the secrets should be encrypted end-to-end so the backend API cannot access them. Only the GitHub Action should be able to decrypt the secrets.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.