Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: get a GitHub Access Token from keyring #3174

Draft
wants to merge 15 commits into
base: main
Choose a base branch
from

Conversation

suzuki-shunsuke
Copy link
Member

@suzuki-shunsuke suzuki-shunsuke commented Oct 12, 2024

This pull request adds the feature to get a GitHub Access token from a secret store such as Windows Credential Manager, macOS Keychain, and GNOME Keyring.
You can manage a GitHub Access Token securely.
This feature is powered by the third party library zalando/go-keyring.
This feature is disabled by default.
To enable this feature, you have to configure the environment variable AQUA_ENABLE_KEYRING.

export AQUA_ENABLE_KEYRING=true

And you have to set a GitHub Access token by aqua token set command.

aqua token set

You can also pass a GitHub Access token from stdin.

echo "$GITHUB_TOKEN" | aqua token set -stdin

Then you can use aqua as usual.
When aqua accesses a secret store, you may need to approve the access via prompt.

image

If the environment variable GITHUB_TOKEN or AQUA_GITHUB_TOKEN is set, this feature is ignored.
And even if aqua can't get a GitHub Access Token, aqua still works without a GitHub Access Token.

Performance Test

Access to secret store makes the performance worse, so we implement the lazy load, meaning aqua accesses a secret store only when the access is really necessary.
I confirmed that when aqua didn't access a secret store, the performance didn't get worse.

$ hyperfine -N --warmup 3 '/Users/shunsukesuzuki/go/bin/aqua which mkghtag' '/Users/shunsukesuzuki/.local/share/aquaproj-aqua/bin/aqua which mkghtag'
KEYRING IS ENABLED
Benchmark 1: /Users/shunsukesuzuki/go/bin/aqua which mkghtag
  Time (mean ± σ):      32.5 ms ±   2.5 ms    [User: 32.6 ms, System: 3.5 ms]
  Range (min … max):    30.7 ms …  42.4 ms    75 runs
 
  Warning: The first benchmarking run for this command was significantly slower than the rest (39.8 ms). This could be caused by (filesystem) caches that were not filled until after the first run. You are already using the '--warmup' option which helps to fill these caches before the actual benchmark. You can either try to increase the warmup count further or re-run this benchmark on a quiet system in case it was a random outlier. Alternatively, consider using the '--prepare' option to clear the caches before each timing run.
 
Benchmark 2: /Users/shunsukesuzuki/.local/share/aquaproj-aqua/bin/aqua which mkghtag
  Time (mean ± σ):      32.4 ms ±   2.5 ms    [User: 32.5 ms, System: 3.5 ms]
  Range (min … max):    30.3 ms …  42.8 ms    72 runs
 
  Warning: The first benchmarking run for this command was significantly slower than the rest (41.1 ms). This could be caused by (filesystem) caches that were not filled until after the first run. You are already using the '--warmup' option which helps to fill these caches before the actual benchmark. You can either try to increase the warmup count further or re-run this benchmark on a quiet system in case it was a random outlier. Alternatively, consider using the '--prepare' option to clear the caches before each timing run.
 
Summary
  /Users/shunsukesuzuki/.local/share/aquaproj-aqua/bin/aqua which mkghtag ran
    1.00 ± 0.11 times faster than /Users/shunsukesuzuki/go/bin/aqua which mkghtag

@suzuki-shunsuke suzuki-shunsuke added the enhancement New feature or request label Oct 12, 2024
@suzuki-shunsuke
Copy link
Member Author

I could confirm this feature works well on macOS.
But I haven't confirmed this feature on Windows and Linux yet.
I tried GNOME Keyring, but it didn't work well.
I'm not familiar with GNOME Keyring, so it's hard to solve the issue.

$ aqua token set
Enter a GitHub acccess token for aqua: 
FATA[0011] aqua failed                                   aqua_version=2.37.0-1 env=linux/arm64 error="set a GitHub access Token to the secret store: set a GitHub Access token in keyring: failed to unlock correct collection '/org/freedesktop/secrets/aliases/default'" program=aqua

$ gnome-keyring version
gnome-keyring: 46.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant