You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Background: @metzgr from the General Services Administration was trying to set up the federal project portal on their Cloud.Gov Pages service. The error message was that the package couldn’t be downloaded because it NPM wasn’t authenticated against the GitHub Package Registry.
Assessment
It looks to me as though you’ve always got to authenticate to install things from the GitHub Package Repository, even if the package is public.
I couldn’t get the authentication working properly with docker compose yesterday, and I’m not sure what the problem was.
We’re bound to hit more problems long term if we keep the package behind authentication on the GitHub Package Repository:
Development: we’ve all always got set up the authentication tokens on our local machines to get the portal running locally.
Production: there will be management costs involved in keeping the tokens up to date for all the sites.
I think it would be good if we could get rid of that authentication requirement.
I think the easiest way would be to publish on npmjs.com rather than (or in addition to) the GitHub Package Repository.
Questions:
Can we simplify the authentication for the GitHub Package Registry in https://github.com/thepolicylab-projectportals/fed-content so that it’s sufficient to set a single environment variable with the token and that the install just works?
Alternative: I’m not sure that we have any benefit from “hiding” the code behind authentication. I’m also not sure of any new risks if we make it openly available. Does anyone see any issue with publishing the current packages on npmjs.com?
Do we want to open source the repository as well? We’ll need to go through the code and its history and check:
… that there are no secrets (tokens) shared anywhere, and if there are, to make sure they have been invalidated.
… that there are no bits of personally identifiable information which shouldn’t be available on the web, and if so, strip them from the repo.
Potential tasks for @thepolicylab-projectportals/ccv, depending on the answers above:
Background: @metzgr from the General Services Administration was trying to set up the federal project portal on their Cloud.Gov Pages service. The error message was that the package couldn’t be downloaded because it NPM wasn’t authenticated against the GitHub Package Registry.
Assessment
Questions:
Potential tasks for @thepolicylab-projectportals/ccv, depending on the answers above:
The text was updated successfully, but these errors were encountered: