Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: get build working on cloud.gov #61

Open
4 tasks done
hollandjg opened this issue May 23, 2023 · 1 comment
Open
4 tasks done

build: get build working on cloud.gov #61

hollandjg opened this issue May 23, 2023 · 1 comment

Comments

@hollandjg
Copy link
Contributor

hollandjg commented May 23, 2023

Background: @metzgr from the General Services Administration was trying to set up the federal project portal on their Cloud.Gov Pages service. The error message was that the package couldn’t be downloaded because it NPM wasn’t authenticated against the GitHub Package Registry.

Assessment

  • It looks to me as though you’ve always got to authenticate to install things from the GitHub Package Repository, even if the package is public.

    You need an access token to publish, install, and delete private, internal, and public packages. (From GitHub Docs)

  • I couldn’t get the authentication working properly with docker compose yesterday, and I’m not sure what the problem was.
  • We’re bound to hit more problems long term if we keep the package behind authentication on the GitHub Package Repository:
    • Development: we’ve all always got set up the authentication tokens on our local machines to get the portal running locally.
    • Production: there will be management costs involved in keeping the tokens up to date for all the sites.
  • I think it would be good if we could get rid of that authentication requirement.
  • I think the easiest way would be to publish on npmjs.com rather than (or in addition to) the GitHub Package Repository.

Questions:

  • Can we simplify the authentication for the GitHub Package Registry in https://github.com/thepolicylab-projectportals/fed-content so that it’s sufficient to set a single environment variable with the token and that the install just works?
  • Alternative: I’m not sure that we have any benefit from “hiding” the code behind authentication. I’m also not sure of any new risks if we make it openly available. Does anyone see any issue with publishing the current packages on npmjs.com?
  • Do we want to open source the repository as well? We’ll need to go through the code and its history and check:
    • … that there are no secrets (tokens) shared anywhere, and if there are, to make sure they have been invalidated.
    • … that there are no bits of personally identifiable information which shouldn’t be available on the web, and if so, strip them from the repo.

Potential tasks for @thepolicylab-projectportals/ccv, depending on the answers above:

  • Simplify the token setup in https://github.com/thepolicylab-projectportals/fed-content to use a single environment variable. This turned out to be difficult, so we'll try the second option.
  • Update the GitHub Action for publishing to push to npmjs.com in addition to the GitHub Package Registry.
  • Update the fed-content repository to use the new public package.
  • Go through the theme repository and do the secrets/PII check, clean up and then make public.
@hetd54
Copy link

hetd54 commented Dec 14, 2023

For this issue, the final step is to receive feedback from the federal team to confirm it is working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants