How do I use Gemfury tokens securely in CircleCI?
Question
I'm using gemfury to host a private package that will be used by other people in my github organization. I'm also using CircleCI (but this applies to any CI system) for building/pushing. My CI setup watches for any new tags in github and then pushes this new tag to gemfury.
My issue with the current setup is that I'm using my personal access token to authenticate. To me, this means the builds are dependent on my status as collaborator of the organization, and would break if I were to leave. I know I could instead use the Account token, but it feels insecure (what happens if the token is compromised?).
Ideally I would be able to generate application-specific push tokens that belong to the organization, and use those in CircleCI. If the token is compromised, it could be easily revoked and it wouldn't break other applications. However, gemfury does not offer this option.
I think my only option is to create a "fake" CI user add add it to my github organization. I could then use this user's personal token to push builds. Is this correct? Are there any other better approaches? I don't want to have to add a fake user for every package.
1 answers
solution1
2 ACCPTED 2018-10-26 08:20:07
You are in luck!
Under the menu item Tokens when logged in, you can find a tabbed interface, where Push tokens can be created:
Push tokens βeta
These tokens can authorize new package uploads for this account. You can integrate these into your CI builds, etc.
These are impersonal, and can be used for this!
Good luck!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.