On Tue, Nov 25, 2014 at 4:48 PM, Steven Gill <[email protected]> wrote: > Hey Everyone, > > So I need to add credentials to my workspace for uploading a nightly build > to npm for cordova. > > The command I need to run is `npm login` or `npm addUser`. It would prompt > me to add my username, password and email. I think I only need to do this > once and it would be saved in my workspace, but I would like it to be able > to work if I started a new workspace from scratch. > > How do I do this in a way that is secure? I don't want to write my > credentials into my build step. > > I assume a similar problem would exist for pushing changes to git. >
So - it depends. We have this functionality for nexus, but only allow Jenkins to publish 'snapshot' builds for developers, and (IIRC) those stay on the ASF's Nexus implementation. We use a role account on Nexus for Jenkins to publish those snapshots. We don't allow the Jenkins role account to publish releases. This doesn't mean that we wouldn't allow a role account setup on jenkins to publish to NPM - but the specific issue is that anyone from any project could at any time run a job that publishes an artifact to NPM. (I don't think they have the concept of Snapshot builds, from my 30 seconds of reading.) I suspect that most people consume Cordova from NPM rather than downloading source, which makes that something to guard closely, rather than having a job that anyone with a jenkins account could trigger. And FTR, I don't think we would ever allow an automated system to commit back to a project's source code tree without input from a committer. (Obviously we have automated commits for things like websites, etc, but again almost all of that is initiated by a committer). --David
