Please prefix the issue title with the project name i.e. [rush], [api-extractor] etc.
Is this a feature or a bug?
Please describe the actual behavior.
Currently when publishing using Rush, the NPM token is passed via the command-line like this example:
- script: 'node common\scripts\install-run-rush.js version --bump --version-policy $(VersionPolicy) --target-branch $(Build.SourceBranchName)'
displayName: 'Rush Version'
- script: 'node common\scripts\install-run-rush.js publish --apply --publish --include-all --target-branch $(Build.SourceBranchName) --npm-auth-token $(npmToken) --add-commit-details --set-access-level public'
displayName: 'Rush Publish'
Although we use an environment variable $(npmToken), the variable gets expanded in the build log when invoking Rush:
node common\scripts\install-run-rush.js publish --apply --publish --include-all --target-branch master --npm-auth-token *** --add-commit-details --set-access-level public
...and when Rush shows how it was invoked:
Invoking "rush publish --apply --publish --include-all --target-branch master --npm-auth-token *** --add-commit-details --set-access-level public"
...and again when Rush executes PNPM:
* EXECUTING: D:\a\1\s\common\temp\pnpm-local\node_modules\.bin\pnpm publish --//registry.npmjs.org/:_authToken=*** --access public (libraries\package-deps-hash)
In all three cases, the authentication token gets replaced with *** because Azure DevOps is smart enough to detect the string and protect it. However, I've seen evidence that some other CI systems don't have this feature.
What is the expected behavior?
We should pass the tokens as environment variables instead of as command-line parameters. This would be much more secure, because environment variables don't get saved to disk, and aren't viewable by other processes running on the machine.
How to implement this
There are 3 pieces:
- Update the Rush command-line to accept environment variables. The
ts-command-line library makes this very easy; we would just specify the IBaseCommandLineDefinition.environmentVariable property for parameters like --npm-auth-token
- When we invoke PNPM, pass the credentials as environment variables. If that's very difficult to do, another option would be to change the
* EXECUTING: log message so that it deletes the token from the log output, rather than relying on Azure DevOps to do this.
- Update the Rush website examples to illustrate using the environment variables, rather than using the command-line parameters. And mention that this is a best practice for security.
Please prefix the issue title with the project name i.e. [rush], [api-extractor] etc.
Is this a feature or a bug?
Please describe the actual behavior.
Currently when publishing using Rush, the NPM token is passed via the command-line like this example:
Although we use an environment variable
$(npmToken), the variable gets expanded in the build log when invoking Rush:...and when Rush shows how it was invoked:
...and again when Rush executes PNPM:
In all three cases, the authentication token gets replaced with
***because Azure DevOps is smart enough to detect the string and protect it. However, I've seen evidence that some other CI systems don't have this feature.What is the expected behavior?
We should pass the tokens as environment variables instead of as command-line parameters. This would be much more secure, because environment variables don't get saved to disk, and aren't viewable by other processes running on the machine.
How to implement this
There are 3 pieces:
ts-command-linelibrary makes this very easy; we would just specify the IBaseCommandLineDefinition.environmentVariable property for parameters like--npm-auth-token* EXECUTING:log message so that it deletes the token from the log output, rather than relying on Azure DevOps to do this.