oh eat my entire ass, npm
once they implement that i'm just going to put username and password into the github publishing workflow. i am *not* going to manually swap tokens, not every 7 days, not every 90
Conversation
Notices
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 11-Oct-2025 07:16:22 JST 
✧✦Catherine✦✧
- Rich Felker repeated this.
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 11-Oct-2025 07:18:49 JST
✧✦Catherine✦✧
@jhwgh1968 upgrading to passkeys. this is actually probably strictly better so i'm chill about it
-
Embed this notice
J. "Henry" Waugh (jhwgh1968@chaos.social)'s status on Saturday, 11-Oct-2025 07:18:50 JST 
J. "Henry" Waugh
@whitequark I'm trying to figure out line 2
They're not allowing TOTP anymore? Are they downgrading to SMS or some nonsense?
-
Embed this notice
Mike Mattice (mmattice@mastodon.social)'s status on Saturday, 11-Oct-2025 07:30:52 JST 
Mike Mattice
@whitequark @jhwgh1968 it'd be nice if GitHub had a way to generate a passkey and enroll it into npm. But this is dumb af without that.
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 11-Oct-2025 07:46:55 JST
✧✦Catherine✦✧
@jpab yes, I'm setting this up right now in fact. still a shitload of busywork but not as bad as the initial impression. (I use OIDC publishing with PyPI already)
-
Embed this notice
John (jpab@mastodon.gamedev.place)'s status on Saturday, 11-Oct-2025 07:46:56 JST 
John
@whitequark can't you use the "Trusted Publisher" thing if you're publishing from GitHub?
You configure npm account to allow publishing from a particular GitHub project & workflow and then there's some OIDC auth dance between GitHub and npm which avoids the need to put an npm token in a GitHub actions secret.
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 11-Oct-2025 07:47:30 JST
✧✦Catherine✦✧
good news: you can use Trusted Publishing to avoid dealing with the tokens
bad news: do you think github's own instructions for how to set this shit up on github work? yes? hahaha no of course they fucking don't imagine anybody involved in this mess doing their job well
Rich Felker repeated this. -
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 11-Oct-2025 07:51:50 JST
✧✦Catherine✦✧
i should bill GitHub for my time
-
Embed this notice
jcoglan (jcoglan@mastodon.social)'s status on Saturday, 11-Oct-2025 07:54:17 JST 
jcoglan
@whitequark please tell me I don't have to use github actions for this. my current workflow is the 'npm publish' command locally and entering a totp code
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 11-Oct-2025 08:23:33 JST
✧✦Catherine✦✧
@jcoglan you'll have to keep rotating tokens
-
Embed this notice
mcc (mcc@mastodon.social)'s status on Saturday, 11-Oct-2025 08:25:00 JST 
mcc
@jcoglan @whitequark wait so if i want to publish using totp on npm in future do i need to sign up for totp tokens now. will that force me to use totp afterward or can i just get something registered
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Saturday, 11-Oct-2025 08:25:00 JST
✧✦Catherine✦✧
@mcc @jcoglan i _think_ you can still make a "granular" token valid until 2038
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Tuesday, 21-Oct-2025 08:07:25 JST
✧✦Catherine✦✧
@alwayscurious @jhwgh1968 keepassx has an extension for at least chrome
-
Embed this notice
Demi Marie Obenour (alwayscurious@infosec.exchange)'s status on Tuesday, 21-Oct-2025 08:07:26 JST 
Demi Marie Obenour
@whitequark @jhwgh1968 which browsers support passkeys on Linux?
All GNU social JP content and data are available under the