Set up Secure, Automated Npm Release Processes with Optic
The goal of software delivery is to release software to users and consumers. Automating the release pipeline with CI (Continuous Integration) and CD (Continuous Delivery) makes it easier to release high-quality code more often and faster.
Examples include the recent takeovers of the
rc packages. In most cases, the accounts that are hijacked are Npm accounts that aren’t using 2FA (two-factor authentication).
Updates to packages have been made easier by tools like GitHub’s dependabot and actions, but releasing them manually with 2FA enabled can still be a pain.
Did you know that Npm plans to enforce 2FA for the top 500 packages by early 2022?
With tens of thousands of packages released every month, wouldn’t it be great if there was a way to completely automate the release process?
Optic does exactly that!
Optic enables you to automate the release process of your Npm packages, apps and actions without compromising security. The Optic mobile app helps you to securely generate OTP tokens on the fly for 2FA protected Npm accounts. It allows you to do all that directly from the deployment pipeline at the click of a button!
Optic without Npm?
Optic is a very versatile tool that can work with different release pipelines. It can also be used for doing releases with python/pip or rust/cargo or any other combination!
All you need to do is configure the Optic GitHub action with the correct parameters for your release pipeline. We will be using Npm for the purposes of this blog post.
What is Optic?
Optic is an ecosystem of a mobile application, GitHub action, and backend application.
The mobile app stores Npm secrets, generates OTPs, and sends push notifications. The GitHub action triggers the deployment workflow. Backend server stores app subscriptions and generates Optic tokens.
How Optic works
In a nutshell, Optic works by automating the build and versioning process, as well as publishing Npm packages. It does all that without compromising the security. Publishing an Npm package requires you to authenticate using a publish token issued by Npm. These tokens are used when publishing packages using the Npm CLI. An OTP is required for the publishing process if you also have (2FA) enabled.
Features in Optic
- Auto publish Npm packages using CI
- Supports 2FA protected Npm accounts
- Multiple repo owners/collaborators supported
- Push notifications for approvals
- Privacy first! Your Npm secret token never leaves your device
- Mobile app with slick UI and biometric authentication
- Completely open source with self hosting support
Optic uses a Fastify server as the backend. The Firebase Firestore database stores app subscriptions and necessary user information. The mobile app is built using React Native and uses secure storage for storing Npm tokens.
Optic GitHub action is used to trigger the release process. You can set up Optic on your own servers. All instructions are mentioned in the repository ReadMe.
Setting up an Optic mobile app
In order to set up Optic, the first thing you need to do is generate a 2FA token for your Npm account, and then save it to your mobile device using the Optic app. This secret token is never transmitted to any 3rd party servers.
Instead, Optic mobile app requests the backend to generate a token that corresponds to your 2FA token and your mobile device. This Optic token is then stored on the device and used during the release process. The Optic token must also be saved in the repository secrets in order to be used by the release workflow action.
Screenshots of Optic mobile application