[HN Gopher] Show HN: Publish from GitHub Actions using multi-fac... ___________________________________________________________________ Show HN: Publish from GitHub Actions using multi-factor authentication The backstory about this GitHub Action: I discussed with an open- source maintainer why they publish npm packages from their local machine and do not use CI/CD pipelines. They said publishing should require human intervention and want to continue using multi- factor authentication to publish to the npm registry. This led to building the wait-for-secrets GitHub Action. It prints a URL in the build log and waits for secrets to be entered using a browser. Once entered, the workflow continues, and secrets can be used in future steps. The latest release of "eslint-plugin-react" to the npm registry used a one-time password (OTP) from a GitHub Actions workflow! https://github.com/jsx-eslint/eslint-plugin- react/actions/ru... Author : varunsharma07 Score : 28 points Date : 2022-12-06 18:05 UTC (4 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | gauravphoenix wrote: | Congrats Varun :) Great to see my ex-roommate's post on HN front | page. | | Fun fact- Varun is a super smart engineer, he even won a car in a | competition: | | https://www.oneindia.com/2006/06/29/microsoft-security-shoot... | | I would highly encourage HNers to try out his github action. | varunsharma07 wrote: | Thanks, Gaurav :)! | ajvpot wrote: | Have you considered adding some kind of encryption of the secrets | with a preshared key generated inside the action to make the SaaS | zero-knowledge? Currently it appears the service can read all the | secrets in plaintext. | varunsharma07 wrote: | Added an issue to track this: https://github.com/step- | security/wait-for-secrets/issues/56 | | The backend API is open-source, and the secrets are cleared | immediately after use from the data store, but I agree this is | a good idea. | thewataccount wrote: | This is tangential to your comment and not a complaint - That | isn't zero-knowledge that is end-to-end encryption. | | I've been noticing a lot of marketing materials describe | themselves as "zero-knowledge" when it's just E2EE. | | I definitely agree it would be nice to have. | 0xbadcafebee wrote: | Anyone have recommendations for a server-push authentication | thingy similar to Microsoft Authenticator? On sign-in to an | Office365 site, MSA will prompt you on your phone's app to | authorize the login. I want the same thing but self-hosted & open | source. Any suggestions? | [deleted] ___________________________________________________________________ (page generated 2022-12-06 23:00 UTC)