Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Universal Action to rotate NPM keys #46

Open
RafaelGSS opened this issue Feb 17, 2025 · 4 comments
Open

Universal Action to rotate NPM keys #46

RafaelGSS opened this issue Feb 17, 2025 · 4 comments
Assignees
@sheplu
Labels
security-wg-agenda

Comments

@RafaelGSS
Copy link

Hi folks,

I'm opening this issue just to get more attention from the express side. I opened fastify/fastify#5984 to discuss a feasible approach to rotate npm keys across many repositories of an organization, and I believe the same problem we are facing on fastify would happen here.

@UlisesGascon has mentioned you all would be working on something similar soon, so I thought I could help and we could create something more universal. Where can I get more info about this initiative?
@RafaelGSS RafaelGSS changed the title Universal Action to rotate NPM token keys Universal Action to rotate NPM keys Feb 17, 2025
@wesleytodd
Copy link
Member

wesleytodd commented Feb 17, 2025
edited
Loading

I think the main thing we need to work out is the automated release workflows. This is what @sheplu will be working on as part of our STF funding this year. I have pretty strong opinions on this but probably not yet the time for me to write it up here. I will jot down some basic requirements I think we have though.

  1. 2FA support. This is the main thing lacking in the vanilla GHA publish workflows. There is the step-security stuff for this, but I have been hesitant to rely on a 3rd party company for this. Maybe that is an ideal worth giving up on so we can have 2FA?
  2. Release via PR. Each release needs a PR we can review with strong merge restrictions. Ideally this would include generated changelogs and GH releases.
  3. Monorepo support. This one might be considered a "nice to have", but I strongly believe there are some domains of this project which would have benefited from a small monorepo setup. I would not like our release workflow to be a blocker for how we structure the code in the repos.

@RafaelGSS
Copy link
Author

Thanks for the summary @wesleytodd. @sheplu happy to discuss this with you!

This was referenced Feb 18, 2025
Open
Open
@bjohansebas bjohansebas mentioned this issue Feb 19, 2025
Open
@elliot-huffman
Copy link

elliot-huffman commented Feb 19, 2025
edited
Loading

What level of engagement would you like from me here?

I can assist with the below security items:

  • MFA enforcement of the build pipeline.
  • Supply chain risk reduction.
  • Build automation.
  • Cryptographic attestation.
  • Code signatures.

I am personally invested in the security of this project as Express.JS is a critical supply chain item for my projects/apps.

@wesleytodd
Copy link
Member

Thanks for the offer @elliot-huffman! We will be putting together plans in the coming weeks afaik and am sure there will be things which can be helped with. I would suggest starting with finding and engaging in the many existing discussions in our repos and finding where there are already opportunities to contribute, then engaging in a discussion in our Slack (on the OpenJS Slack workspace). As much of this work is funded by the STF I believe there will be more structure around the work than normal so that it can all be reported correctly, so make sure to sync with @sheplu on it as he is leading that milestone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sheplu sheplu

Labels
security-wg-agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wesleytodd @sheplu @elliot-huffman @RafaelGSS