[wp-meta] [Making WordPress.org] #5555: Introduce deploy keys for SVN

Making WordPress.org noreply at wordpress.org
Mon Dec 21 00:12:18 UTC 2020

#5555: Introduce deploy keys for SVN
 Reporter:  Clorith           |       Owner:  (none)
     Type:  enhancement       |      Status:  new
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:                    |

Comment (by dd32):

 > I don't know if it's possible to add multiple keys to a user, so that
 application password like keys could be added for a user on SVN, and that
 wouldn't solve the problem of maintainer ownership transfers with 3rd
 party systems.

 Application Passwords are possible, part of the problem is that we're
 using BASIC auth though, and the `mod_auth_mysql` Apache auth module seems
 to only support a singular user/pass combination. (Note: We we another
 module to provide WP password hash support)

 > all SVN assets get their own user, with an auto-generated key (the key
 can be revoked to get a new one from within the plugin admin screen by
 anyone with commit access, and a notification being sent to all committers
 if this is done).

 Unfortunately, we can't easily enable key-based authentication due to
 using SVN over HTTPs with path restrictions per-user (plugin). (Key based
 required ssh+svn which doesn't support per-path auth, and HTTPS doesn't
 offer key-based auth AFAIK)

 But assuming that you're suggesting an auto-generated user w/ password for
 commit/deployment purposes, that's possible currently with the current SVN
 setup, and is how I personally do it. I've got a
 [https://profiles.wordpress.org/dd32-githubsync/ dd32-githubsync] user
 whose only purpose is to commit on my behalf to SVN from GitHub..

 While we could add a single-button create-svn-user type thing, I'm not
 100% sure that'll actually be beneficial in the long run?

 > If we wanted to take it one step further, and make sure that uses of
 GitHub actions (which would be my preferred approach) do not cause issues,
 we could very easily create our own wp-plugin-deploy action, that would
 help authors not make mistakes during releases.

 Having something similar to the 10up deployer that's 'official' would make
 lives easier, last time I went down that path though, I found a better
 option was to ditch SVN and have the plugin directory pull directly from
 GitHub releases ([https://github.com/dd32/wordpress.org/tree/feature/gh-
 plugin-dir GitHub feature branch]) but I never finalised that.. after
 running into limitations of the GitHub api at the time, but since then,
 things such as GitHub actions have launched.. so it might be easier to
 just do an official deployer action.
 The other option is installation of a WordPress Plugin Directory app which
 can do the auth with the plugin directory and/or trigger action builds via

Ticket URL: <https://meta.trac.wordpress.org/ticket/5555#comment:2>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list