Add credential helper support for bundler #8501
Conversation
|
Thanks for opening a pull request and helping make RubyGems and Bundler better! Someone from the RubyGems team will take a look at your pull request shortly and leave any feedback. Please make sure that your pull request has tests for any changes or added functionality. We use GitHub Actions to test and make sure your change works functionally and uses acceptable conventions, you can review the current progress of GitHub Actions in the PR status window below. If you have any questions or concerns that you wish to ask, feel free to leave a comment in this PR or join our #rubygems or #bundler channel on Slack. For more information about contributing to the RubyGems project feel free to review our CONTRIBUTING guide |
atpons
force-pushed
the
add-credential-helper
branch
from
ac0d913 to
0e48def
Compare
bundler/lib/bundler/settings.rb
Outdated
| return unless helper_path | ||
|
|
||
| begin | ||
| output = `#{helper_path}`.strip |
There was a problem hiding this comment.
@segiddins do you see any security issues with calling out this? Value is coming from bundle config.
There was a problem hiding this comment.
I have a preference that we use the same pattern as https://git-scm.com/docs/gitcredentials#_configuration_options. Additionally, we should be using IO.popen for the subprocess
There was a problem hiding this comment.
@simi @segiddins 0e48def...be95a01
Taking security concerns into consideration, I have modified the code to use IO.popen.
Additionally, similar to Git, I have implemented function a that automatically recognizes executables named bundler-credential-{helper-name} for automatically discovering helpers.
|
Planning to dive into this and the RFC soon. I normally use ENV variables to avoid saving credentials to disk, but it seems nice to support something more built in! |
- Git-flavored configurations - IO.popen with exectution
|
This Pull Request is very useful for my current issue. I want to use a private gem for both local development and on CI (GitHub Actions), but I’m having trouble managing the credentials. • @simi @segiddins If the issues pointed out in the review are resolved, can this Pull Request be merged? • @atpons: Do you still have the motivation to merge this Pull Request? If not, I can continue with the implementation. |
|
Sorry,I haven't been able to work on it because I was busy, but I will continue with the implementation. |
There was a problem hiding this comment.
Love it. Can't wait to use this.
Thanks for your work. Just one small nitpick for readability and then I'll defer to @segiddins to finalize the requested git inspired change.
Co-authored-by: Martin Emde <[email protected]>
|
Sorry, I've fixed some specs for change to using IO.popen 🙏 |
| "bundler-credential-#{command[0]}" | ||
| end | ||
|
|
||
| output = Bundler.with_unbundled_env { IO.popen(command, &:read) } |
There was a problem hiding this comment.
nit - lets check $? after IO.popen
There was a problem hiding this comment.
thanks, db1e5ab fixed checking Process.last_status (use $? difficult to write specs)
6 participants
What was the end-user or developer problem that led to this PR?
When using private gem registries (like GitHub Packages), users need to provide authentication credentials.
This PR implements the credential helper mechanism proposed in rubygems/rfcs#59, which allows users to securely retrieve authentication credentials from external processes.
What is your fix for the problem, implemented in this PR?
credential-helpersetting that specifies path to helper programusername:passwordformatHere's an example of using it with GitHub Packages with GitHub CLI:
Additionally, It is also possible to place an executable file named
bundler-credential-github.Make sure the following tasks are checked