hngopher.com

       [HN Gopher] Show HN: Publish from GitHub Actions using multi-fac...
       ___________________________________________________________________
        
       Show HN: Publish from GitHub Actions using multi-factor
       authentication
        
       The backstory about this GitHub Action:  I discussed with an open-
       source maintainer why they publish npm packages from their local
       machine and do not use CI/CD pipelines.  They said publishing
       should require human intervention and want to continue using multi-
       factor authentication to publish to the npm registry.  This led to
       building the wait-for-secrets GitHub Action. It prints a URL in the
       build log and waits for secrets to be entered using a browser. Once
       entered, the workflow continues, and secrets can be used in future
       steps.  The latest release of "eslint-plugin-react" to the npm
       registry used a one-time password (OTP) from a GitHub Actions
       workflow! https://github.com/jsx-eslint/eslint-plugin-
       react/actions/ru...
        
       Author : varunsharma07
       Score  : 28 points
       Date   : 2022-12-06 18:05 UTC (4 hours ago)
        
 (HTM) web link (github.com)
 (TXT) w3m dump (github.com)
        
       | gauravphoenix wrote:
       | Congrats Varun :) Great to see my ex-roommate's post on HN front
       | page.
       | 
       | Fun fact- Varun is a super smart engineer, he even won a car in a
       | competition:
       | 
       | https://www.oneindia.com/2006/06/29/microsoft-security-shoot...
       | 
       | I would highly encourage HNers to try out his github action.
        
         | varunsharma07 wrote:
         | Thanks, Gaurav :)!
        
       | ajvpot wrote:
       | Have you considered adding some kind of encryption of the secrets
       | with a preshared key generated inside the action to make the SaaS
       | zero-knowledge? Currently it appears the service can read all the
       | secrets in plaintext.
        
         | varunsharma07 wrote:
         | Added an issue to track this: https://github.com/step-
         | security/wait-for-secrets/issues/56
         | 
         | The backend API is open-source, and the secrets are cleared
         | immediately after use from the data store, but I agree this is
         | a good idea.
        
         | thewataccount wrote:
         | This is tangential to your comment and not a complaint - That
         | isn't zero-knowledge that is end-to-end encryption.
         | 
         | I've been noticing a lot of marketing materials describe
         | themselves as "zero-knowledge" when it's just E2EE.
         | 
         | I definitely agree it would be nice to have.
        
       | 0xbadcafebee wrote:
       | Anyone have recommendations for a server-push authentication
       | thingy similar to Microsoft Authenticator? On sign-in to an
       | Office365 site, MSA will prompt you on your phone's app to
       | authorize the login. I want the same thing but self-hosted & open
       | source. Any suggestions?
        
       | [deleted]
        
       ___________________________________________________________________
       (page generated 2022-12-06 23:00 UTC)