You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a specific use case that from the initial research would seem possible to solve with Verdaccio. But unfortunately I haven't found an elegant solution.
Current setup and objective
We have both a GitHub and an NPM organisation named example-org.
We have many publicly published packages in the NPM registry, under @example-org/sample-public-package
(This need to remain available both for internal and external users)
We want to start publishing private, internal packages under our GitHub account.
This is for a plenitude or reasons, a few examples:
we already manage all the software lifecycle in this platform;
access control is already well defined and maintained for our team inside GitHub;
we intend to use GITHUB_TOKEN secrets that allows us to have secure and simple short lived scoped tokens in our ci environments;
We want to be able to install private and public packages at any time. Internet users should also be able to use our packages.
The problem is that even if you force the repository in your .npmrc GitHub refuses to publish packages when the scope does not match the username of the organisation.
I think if this worked I would not be here and would not need Verdaccio. Altough I would lose a few Verdaccio features that are really nice and I would like to explore: caching, and auditing/metrics.
Attempt 2 - Using Verdaccio to proxy both GitHub and NPM registries
Initially after watching Juan Picado talk I would expect one would be able to proxy all requests that belong to a certain registry and let the upstream deal with authorization.
We would simply launch a Verdaccio server in npm.example-org.com and proxy all private packages to GitHub while keeping the remaining in NPM.
The problem is that Verdaccio uses the provided Authorization header to authenticate in itself and does not pass it to the uplink. I did not find a way to do this.
uplinks:
github_packages:
url: https://npm.pkg.github.com/# auth: we need to proxy/forward authnpmjs:
url: https://registry.npmjs.org/# auth: we need to proxy/forward authpackages:
'@example-org/*':
access: $allpublish: $allunpublish: $allproxy: github_packages npmjs'@*/*':
access: $allpublish: $allunpublish: $allproxy:
'**':
access: $allpublish: $allunpublish: $allproxy: npmjs
The only thing one can do is set a static auth token, but as described initially we do not want to manage permissions elsewhere other than GitHub, that will just create complexity.
There are a few plugins like verdaccio-github-oauth-ui that allow one to check permissions against GitHub organisations, for Verdaccio. But they do not use the GitHub package permissions nor they forward the Authorization token to https://npm.pkg.github.com/. They are only a way to authorise actions in Verdaccio.
Non solutions/Considerations
We do not want to use our Verdaccio server as our private registry, we want GitHub.
We do not want to hardcode a specific GitHub Token / PAT in our Verdaccio instance.
We would like to avoid having every developer running a Verdaccio server with their token in it.
Q: Ould it be possible to create a public that would forward forward the Authorization token to the uplink? What if there's a cache hit? I want to always check permissions against the upstream.
Attempt 3 - Re-publish all our public packages in GitHub
This way if one is targeting the @example-org scope to GitHub it would also have access to the public packages.
This is the only plausible solution as of right now. The problem is that we need to keep public packages in both GitHub and NPM.
I know NPM doesn't work like that, but I would really like to have packages named like Docker: ghcr.io/sample-org/sample-package.
This way it would automatically figure out the registry without crazy complications.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Verdaccio
-
I have a specific use case that from the initial research would seem possible to solve with Verdaccio. But unfortunately I haven't found an elegant solution.
Current setup and objective
example-org.@example-org/sample-public-package(This need to remain available both for internal and external users)
This is for a plenitude or reasons, a few examples:
Attempt 1 - Using a different prefix for GitHub
The idea is simple, just publish internal packages under a different scope, for example
@example-org-gh. Using the strategy described in Publishing multiple packages to the same repository.The problem is that even if you force the repository in your
.npmrcGitHub refuses to publish packages when the scope does not match the username of the organisation.These will not work:
I think if this worked I would not be here and would not need Verdaccio. Altough I would lose a few Verdaccio features that are really nice and I would like to explore: caching, and auditing/metrics.
Attempt 2 - Using Verdaccio to proxy both GitHub and NPM registries
Initially after watching Juan Picado talk I would expect one would be able to proxy all requests that belong to a certain registry and let the upstream deal with authorization.
We would simply launch a Verdaccio server in
npm.example-org.comand proxy all private packages to GitHub while keeping the remaining in NPM.The problem is that Verdaccio uses the provided
Authorizationheader to authenticate in itself and does not pass it to the uplink. I did not find a way to do this.The only thing one can do is set a static auth token, but as described initially we do not want to manage permissions elsewhere other than GitHub, that will just create complexity.
There are a few plugins like verdaccio-github-oauth-ui that allow one to check permissions against GitHub organisations, for Verdaccio. But they do not use the GitHub package permissions nor they forward the
Authorizationtoken tohttps://npm.pkg.github.com/. They are only a way to authorise actions in Verdaccio.Non solutions/Considerations
Q: Ould it be possible to create a public that would forward forward the
Authorizationtoken to the uplink? What if there's a cache hit? I want to always check permissions against the upstream.Attempt 3 - Re-publish all our public packages in GitHub
This way if one is targeting the
@example-orgscope to GitHub it would also have access to the public packages.This is the only plausible solution as of right now. The problem is that we need to keep public packages in both GitHub and NPM.
I know NPM doesn't work like that, but I would really like to have packages named like Docker:
ghcr.io/sample-org/sample-package.This way it would automatically figure out the registry without crazy complications.
Has anyone had the same problem? Any suggestion?
Beta Was this translation helpful? Give feedback.
All reactions