Multi-User 2FA

Although this is documented the implementation has not yet shipped

When an open source project is large enough a potential use case involves having multiple developers with merge rights to master. This combined with Semantic Release technically means multiple developers have the ability to trigger a release. On CI there is traditionally only a single NPM_TOKEN, this means that either:

  • The developers share a single npm account like specific for that project. An example of this is the electron-bot npm user.

  • Or the developers use a single developers account on CI.

The issue with the second one is that in order for other developers to be able to enter 2FA tokens into CFA they would need the 2FA secret for that single developers npm account. This would be terrible for the security of that users account and doesn't make a whole lot of sense.

To help with this use case CFA supports the use of multiple npm tokens on your CI configuration and allows the user entering the 2FA token to choose which one they want to use.

How to set this up?

Traditionally Semantic Release uses a single environment variable NPM_TOKEN to provide the npm access token required to publish the package. With CFA instead of providing NPM_TOKEN you can provide a number of NPM_TOKEN_{username} variables such as NPM_TOKEN_marshallofsound or NPM_TOKEN_electronbot which CFA will read and let you choose from when asking for your 2FA token.

Please note that if you provide tokens in that format you should not provide the default NPM_TOKEN variable.

What is the benefit of this system?

By putting multiple access tokens on CI you can let developers publish with their own access token and their own 2FA codes. This means you don't have to share access to a single npm account or distribute your 2FA secret around all your maintainers.

What does it look like?

Screenshots coming soon