[wp-meta] [Making WordPress.org] #6087: Provide a GitHub Integration for Plugins

Making WordPress.org noreply at wordpress.org
Tue Feb 8 02:14:49 UTC 2022 

#6087: Provide a GitHub Integration for Plugins
------------------------------+---------------------
 Reporter:  dd32              |       Owner:  (none)
     Type:  enhancement       |      Status:  new
 Priority:  low               |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:                    |
------------------------------+---------------------

Comment (by dd32):

 Replying to [comment:3 JeffPaul]:
 > > but that requires storing the committers password on GitHub, **which
 not all are comfortable doing**.
 > (note I added the emphasis above)
 >
 > The password is stored as a GitHub secret and can be done at an org-
 level and maintained there and not within individual repos (for folks who
 maintain multiple plugins within a single org).

 To be clear - If someone wanted to do that, that's fine, but WordPress.org
 can't really say "Share your password with a 3rd party company".. nor can
 we just expect everyone to be comfortable doing that. It also makes things
 more complicated for those who change passwords often or use a Password
 manager.

 It would be better if an Application Password could be used at least, so
 that the auth token is specific to it's use-case and can be revoked or not
 allowed to be used for login..
 [https://code.trac.wordpress.org/browser/mod_auth_mysql but our auth
 extension for SVN is not exactly super flexible], and I'm hesitant to be
 the one to write the extensions to it needed and end up as the forever
 maintainer..

 There's been cases in the past where PRs against a Github repo have been
 used to leak Secrets (although these could be seen as mis-configurations)
 this covers some aspects and even suggests storing scoped tokens:
 https://docs.github.com/en/actions/security-guides/security-hardening-for-
 github-actions

 I recognise that the existing GHA has had significant investment from 10up
 in support, development, and ongoing maintenance, but having a native
 option would be beneficial for all plugin developers and even reviewers.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/6087#comment:6>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list