Feature: private scope only publish/deploy tokens #438
-
|
Hi The automation tokens used by CICD tools to publish to a private scope registry would benefit a lot by having the option to create a token that can only publish to a private scope. Currently, if you've got a private org that has a scope "@xyz" but a developer accidentally creates a package without the scope specified in the package.json (e.g. something like This seems like playing with fire for a lot of orgs that only want to deal with private packages. Could an option be added when creating a token that binds it to a specific scope (for publishing) that prevents this issue? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
@rhys-e-con thank you for your feedback. Right now our automation tokens (and in general all tokens) do not have access control beyond "publish or not". We are exploring improving the access control with npm/roadmap#10, but that is a bit different than your request here. I don't think we can immediately begin looking into more advanced forms of access control before we get per-package access control figured out, but we can definitely keep this in mind as we are creating the feature to make sure that we are not designing ourselves into a box |
Beta Was this translation helpful? Give feedback.
@rhys-e-con thank you for your feedback.
Right now our automation tokens (and in general all tokens) do not have access control beyond "publish or not". We are exploring improving the access control with npm/roadmap#10, but that is a bit different than your request here.
I don't think we can immediately begin looking into more advanced forms of access control before we get per-package access control figured out, but we can definitely keep this in mind as we are creating the feature to make sure that we are not designing ourselves into a box