堆栈内存溢出
  简体   繁体   English

如何在CircleCI中安全地使用Gemfury令牌?

[英]How do I use Gemfury tokens securely in CircleCI?

 原文  2018-07-26 04:04:21       authentication/ continuous-integration/ circleci/ gem-fury

问题描述

I'm using gemfury to host a private package that will be used by other people in my github organization. 我正在使用gemfury托管一个私有包,该私有包将由我的github组织中的其他人使用。 I'm also using CircleCI (but this applies to any CI system) for building/pushing. 我还使用CircleCI(但这适用于任何CI系统)进行构建/推送。 My CI setup watches for any new tags in github and then pushes this new tag to gemfury. 我的CI安装程序会监视github中的任何新标签,然后将此新标签推送到gemfury。

My issue with the current setup is that I'm using my personal access token to authenticate. 当前设置的问题是我正在使用个人访问令牌进行身份验证。 To me, this means the builds are dependent on my status as collaborator of the organization, and would break if I were to leave. 对我来说,这意味着构建取决于我作为组织协作者的身份,并且如果我要离开的话,构建会失败。 I know I could instead use the Account token, but it feels insecure (what happens if the token is compromised?). 我知道我可以改用Account令牌,但是感觉不安全(如果令牌被盗,会发生什么?)。

Ideally I would be able to generate application-specific push tokens that belong to the organization, and use those in CircleCI. 理想情况下,我将能够生成属于组织的特定于应用程序的推送令牌,并在CircleCI中使用它们。 If the token is compromised, it could be easily revoked and it wouldn't break other applications. 如果令牌遭到破坏,则很容易将其吊销,并且不会破坏其他应用程序。 However, gemfury does not offer this option. 但是,gemfury不提供此选项。

I think my only option is to create a "fake" CI user add add it to my github organization. 我认为我唯一的选择是创建一个“假” CI用户,然后将其添加到我的github组织中。 I could then use this user's personal token to push builds. 然后,我可以使用该用户的个人令牌来推送构建。 Is this correct? 这个对吗? Are there any other better approaches? 还有其他更好的方法吗? I don't want to have to add a fake user for every package. 我不想为每个软件包都添加一个假用户。

1 个解决方案

解决方案1
 2 已采纳  2018-10-26 08:20:07

You are in luck! 你真幸运!

Under the menu item Tokens when logged in, you can find a tabbed interface, where Push tokens can be created: 在登录时的菜单项令牌下,您可以找到一个选项卡式界面,可以在其中创建Push tokens

Push tokens βeta 推送令牌βeta

These tokens can authorize new package uploads for this account. 这些令牌可以授权该帐户上传新的软件包。 You can integrate these into your CI builds, etc. 您可以将它们集成到您的CI构建中,等等。

These are impersonal, and can be used for this! 这些是非个人的,可以用于此目的!

Good luck! 祝好运!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何通过会话令牌和cookie安全地进行身份验证? 更新 - How to authenticate securely by session tokens and cookies? updated 如何仅在Web浏览器中安全地使用REST API? - How do I securely use a REST API solely from within a web browser? 我需要为这种应用程序使用访问令牌吗? - Do I need to use Access Tokens for this kind of application? 如何安全地让我的用户使用刷新令牌登录? - How to securely keep my users signed in with refresh tokens? 我应该如何安全地存储密码并在chrome扩展程序中使用http auth - How should I securely store passwords and use http auth in a chrome extension 如何安全地进行跨域身份验证? - How to do cross-domain authentication securely? 如何正确使用Bearer令牌? - How to properly use Bearer tokens? Web API承载令牌 - 我可以使用自定义令牌吗? - Web API Bearer tokens - can I use custom tokens? 如何在前端使用令牌进行身份验证 - How to use tokens in frontend for authentication 网站如何验证用户是否安全登录? - How do websites verify that a user is logged in securely?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM