chore: [ODIN-1467] appveyor security & docs #147

anothersmith · Feb 17, 2022 · a558a3a · a558a3a
1 parent 35d2344
commit a558a3a
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 3 deletions.
diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
@@ -49,11 +49,15 @@ jobs:
           git push --follow-tags
           yarn publish --tag provisional-release --access public
         env:
+          # NPM Publish Token
           NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+          # NPM Username
           USERNAME: ${{secrets.USERNAME}}
+          # NPM Email
           EMAIL: ${{secrets.EMAIL}}
           # used by prebuild to publish artifacts
           GITHUB_TOKEN: ${{secrets.RELEASE_JOB_UPLOAD_ARTIFACTS_TOKEN}}
+          # AWS user creds for s3 test
           AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
           AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
       - name: Enable "include administrators" branch protection

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -37,6 +37,5 @@ jobs:
           yarn lint:check
           yarn test:ci
         env:
-          NODE_AUTH_TOKEN: ${{secrets.BUILD_JOB_GITHUB_REGISTRY_TOKEN}}
           AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
           AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
diff --git a/appveyor.yml b/appveyor.yml
@@ -9,6 +9,13 @@ image: macos
 
 environment:
   nodejs_version: "12"
+  # same as RELEASE_JOB_UPLOAD_ARTIFACTS_TOKEN in github secrets, used to upload binaries to github releases
+  GITHUB_TOKEN:
+    secure: V9NUG3nW2iIL+WK5/HNHnhdGy1CZ6v4nbwjW79oaDAJ7GhaqU7faD026/JWlMaXI
+  AWS_ACCESS_KEY_ID:
+    secure: +i20g2Qtc2es30ynkLSoHP8mGkGKQebQNJgU9pj9RI0=
+  AWS_SECRET_ACCESS_KEY:
+    secure: n67mcRbzmDqHeUV52SXg9Aqz5pSHzEzQvhSa49TgtbXrFFuKi0Ee4xCSS5ugFcSX
 
 install:
   - brew install openssl

diff --git a/docs/DEVELOPING.md b/docs/DEVELOPING.md
@@ -33,7 +33,28 @@ Workflow notes:
 
 - if addon code is changed in your PR, the package.json version should also be changed manually, otherwise the old binary will be used in CI/CD and elsewhere
 
-## Automated Release
+## Information for internal contributors
+
+### Important
+
+Only allow external contributors' PR jobs to be run after inspecting the changes for any security issues (namely exposing github/appveyor tokens/secrets).
+
+### Service Users & their Tokens
+
+- `DeepDuckla` - GitHub/AppVeyor user.
+  - GitHub credentials are found in 1Password under the name `DeepDuckla`.
+  - Login to AppVeyor via GitHub.
+  - User's PATs are used to run GitHub actions and AppVeyor jobs.
+- `dforsber-duckdb-test` - AWS user for running s3 tests
+  - Credentials in Dev IAM.
+  - It's only needed to access the amazon s3 bucket, so any external user can create his own user if need be.
+- `deepcrawl-tech` - NPM User
+  - Credentials in 1Password
+  - Used to publish to NPM
+
+All tokens have the minimum required permissions and are exposed via GitHub secrets or AppVeyor secure variables.
+
+### Automated Release
 
 Once `master` is ready to be released:
 
@@ -65,7 +86,7 @@ yarn tag add node-duckdb@xxx latest
 
 You can now continue merging into master.
 
-## Manual Release
+### Manual Release
 
 On a mac: