Share release credentials?

[ashfurrow]

We have a bunch of projects and they're all released fairly similarly: tag, push, and send to CocoaPods Trunk. We should have some way for org members to step in and help deploy any RxSwiftCommunity library.

I have a few initial ideas, but this discussion is very open-ended, so chime in!

Maybe we could have a centralized RxSwiftCommunity CocoaPods Trunk account and share credentials securely through Keybase?

[freak4pc]

If I'm not mistaken the only way to push stuff to Specs today is with an email and password right? If there would be some secret/private key pair we could use to do this, it would've been much nicer in this sense (of an organization). Anyways using a shared user/pass could work but feels like there should be a nicer way.

[ashfurrow]

Yeah, I should have mentioned how CocoaPods authenticates trunk pushes. It uses a .netrc file in your home folder to authenticate using HTTP(s) basic auth.

The thing is, .netrc files have no way of switching between multiple auth tokens. Having spoken with @orta, this could be a feature we add to CocoaPods. I think in an ideal setup, there would be some environment variable that can override the credentials in .netrc. Something like:

$ TRUNK_EMAIL=... TRUNK_TOKEN=... pod trunk push Action.podspec

But that doesn't exist in CocoaPods right now. Anyone up for sending a PR? 😉

[freak4pc]

Basic auth meaning we need to have a single email and password, pretty much - right ?

[bobgodwinx]

I think you won't need the TRUNK_EMAIL but just the AUTH_KEY and you should be good to go. If I am not mistaking?

[ashfurrow]

@freak4pc yes exactly.

@bobgodwinx I believe we need both, as the token authenticates the email, which is used to check if the email has push access to the pod.

[freak4pc]

@bobgodwinx This isn't something like OAuth unfortunately, so the authentication is sort of a "one off", and you always need the email/pass pair to push a version up. Anyways I think we're on the same page, we'll probably need to do some work on Cocoapods itself before we can make satisfy this demand.

[bobgodwinx]

Ah ok I get it. This means only people added to the TRUNK_TOKEN will be able to trunk to cocoapods.

[bobgodwinx]

Any update on this issue?

[ashfurrow]

I haven't had time to look into it further, I probably won't have time soon but if someone else has availability, let me know what I can do to support you.

[freak4pc]

The problem with this ticket is its really not straightforward ... every choice of how to do this will be a tradeoff. (Mainly security-wise?)

[mosamer]

If I may add something, shared credentials is of course the easiest and most straight forward solution here. However, it just feels wrong! Something inherently says No about it. Again, this is just a feeling/how-we-used-to-stuff thing so if we need to ignore this and proceed with it, we absolutely can.

On another hand, I see this is a typical bus factor problem. I may suggest simply adding an item to the checklist of adding another 2-or-more active members of the organisation on Cocoapods. So while original author may remain as the main maintainer of repo, others may help pushing new versions once needed. IIRC there was a similar case happening soon regarding RxMKMapView and involving @freak4pc & @icanzilb where this mechanism actually worked.

[bobgodwinx]

I ran into this article and I think it could help. Let me know what you guys think.
https://fuller.li/posts/automated-cocoapods-releases-with-ci/

[ashfurrow]

Sounds good to me! It will take a bit of setup but I like this. I won't have time to look at it for a few weeks, if anyone finds other materials that would help, chime in :)

[freak4pc]

I've also bumped into this: https://www.vaultproject.io/intro/index.html