Howdy folks!
Just letting you know that Clojars[1] now allows you to create and use
deploy tokens[2] in place of passwords when deploying. If you don't
deploy OSS projects to Clojars, feel free to stop reading now.
The deploy tokens are to be used in place of a password when
deploying, and can optionally be scoped to only allow deployment of a
single artifact or any artifact within a group[2].
We now consider deploying with your Clojars password deprecated, and
will *disable deploying with a password on or after 2020-06-27*. So
please switch to using deploy tokens as soon as you can, and please
file an issue[3] or get in touch via the #clojars channel on the
Clojurians slack if you encounter any problems.
Also please file an issue[3] if you know of any public documentation
that should be updated to mention deploy tokens.
We are currently working with GitHub to enable secret scanning[4] for
these tokens. Once that is in place, any token that GitHub discovers
in source code will automatically be disabled and Clojars will email
you about it.
This work is being sponsored by Clojurists Together[5]. Please
consider joining to sponsor this and other OSS work in the Clojure
community if you aren't already a member. If you are already a member:
thank you!
- Toby
[1]:
https://clojars.org
[2]:
https://github.com/clojars/clojars-web/wiki/Deploy-Tokens
[3]:
https://github.com/clojars/clojars-web/issues/new?template=issue.md
[4]:
https://developer.github.com/partnerships/secret-scanning/
[5]:
https://www.clojuriststogether.org/news/clojurists-together-is-funding-clojars/