You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First, I would like to express my gratitude for your efforts in maintaining this project, which I find immensely useful.
I have a suggestion that might enhance its functionality for certain workflows.
Currently, when I use a GitHub action that requires appending a token to .yarnrc.yml( echo 'npmAuthToken: "${{ secrets.PRIVATE_PAT }}"' >> .yarnrc.yml), this action inadvertently adds the .yarnrc.yml file to the version control.
This inclusion poses a security risk as it contains the plaintext PRIVATE_PAT token.
Would it be possible to consider an option or feature where unrelated files, such as .yarnrc.yml, are excluded from being added during git add operations, specifically in scenarios unrelated to version bumping?
Any guidance or alternative solutions you might suggest for this issue would be greatly appreciated.
The text was updated successfully, but these errors were encountered:
I'll try to make a PR to this repo to switch the git add -a for a git add package.json. But, in the meantime, @yichun-chou, you can set your PRIVATE_PAT in the home folder of your runner.
echo 'npmAuthToken: "${{ secrets.PRIVATE_PAT }}"' >> ~/.yarnrc.yml
OR
yarn set config --home npmScopes.your-org.npmAuthToken ****
(Notice the ~ character before the .yarnrc.yml file)
By doing that, when this action does the git add -a, nothing besides the package.json will be changed.
First, I would like to express my gratitude for your efforts in maintaining this project, which I find immensely useful.
I have a suggestion that might enhance its functionality for certain workflows.
Currently, when I use a GitHub action that requires appending a token to
.yarnrc.yml
(echo 'npmAuthToken: "${{ secrets.PRIVATE_PAT }}"' >> .yarnrc.yml
), this action inadvertently adds the.yarnrc.yml
file to the version control.This inclusion poses a security risk as it contains the plaintext
PRIVATE_PAT
token.Would it be possible to consider an option or feature where unrelated files, such as
.yarnrc.yml
, are excluded from being added during git add operations, specifically in scenarios unrelated to version bumping?Any guidance or alternative solutions you might suggest for this issue would be greatly appreciated.
The text was updated successfully, but these errors were encountered: