[wp-meta] [Making WordPress.org] #6087: Provide a GitHub Integration for Plugins
Making WordPress.org
noreply at wordpress.org
Tue Feb 8 02:14:49 UTC 2022
#6087: Provide a GitHub Integration for Plugins
------------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: enhancement | Status: new
Priority: low | Milestone:
Component: Plugin Directory | Resolution:
Keywords: |
------------------------------+---------------------
Comment (by dd32):
Replying to [comment:3 JeffPaul]:
> > but that requires storing the committers password on GitHub, **which
not all are comfortable doing**.
> (note I added the emphasis above)
>
> The password is stored as a GitHub secret and can be done at an org-
level and maintained there and not within individual repos (for folks who
maintain multiple plugins within a single org).
To be clear - If someone wanted to do that, that's fine, but WordPress.org
can't really say "Share your password with a 3rd party company".. nor can
we just expect everyone to be comfortable doing that. It also makes things
more complicated for those who change passwords often or use a Password
manager.
It would be better if an Application Password could be used at least, so
that the auth token is specific to it's use-case and can be revoked or not
allowed to be used for login..
[https://code.trac.wordpress.org/browser/mod_auth_mysql but our auth
extension for SVN is not exactly super flexible], and I'm hesitant to be
the one to write the extensions to it needed and end up as the forever
maintainer..
There's been cases in the past where PRs against a Github repo have been
used to leak Secrets (although these could be seen as mis-configurations)
this covers some aspects and even suggests storing scoped tokens:
https://docs.github.com/en/actions/security-guides/security-hardening-for-
github-actions
I recognise that the existing GHA has had significant investment from 10up
in support, development, and ongoing maintenance, but having a native
option would be beneficial for all plugin developers and even reviewers.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/6087#comment:6>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list