Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

sbt:publish - Do I really need to include credentials in my repo?

Peter Nerg
Peter Nerg September 13, 2017

I've looked at the example on how to integrate sbt:publish as part of the pipelines you offer 

JfrogDev/sbt-example

One thing that disurbs me is the need to have the credentials inlined in the repo.

This means that anyone with access to the repo can perform the publish operation from their laptop. For obvious reasons it's rather undesirable to allow anyone to push code to the binary repo. 

With sbt one normally uses the ~/.ivy2/.credentials file to contain the credentials needed to push binaries to e.g. Artifactory.
Using e.g. Jenkins one configures the user running Jenkins with the correct access rights thus only the Jenkins user/process is allowed to push binaries.

Is there no way as admin of a project/repo I can set the credentials outside the repo to be used by the build pipeline?

Answer
Watch
Like Salim Doost likes this
2504 views

1 answer

0 votes
Salim Doost
Salim Doost November 19, 2018

Hey Peter. I've the same considerations. Did you find a solution yet?

View More Comments
Salim Doost
Salim Doost November 19, 2018

In case anyone else looks for a solution, here is what worked for me:

ThisBuild / credentials += {
  (sys.env.get("ARTIFACTORY_USER"), sys.env.get("ARTIFACTORY_PASSWORD")) match {
    case (Some(user), Some(password)) => Credentials("Artifactory Realm", "your.host.here", user, password)
    case _ => Credentials(new File(ivyPaths.value.ivyHome.getOrElse(new File("~/.ivy2")).getPath + "/.credentials"))
  }
}

 This solution allows both a credentials file in your home directory or authentication via environment variables.

Like
Peter Nerg
Peter Nerg November 19, 2018

I have been looking at the same solution though in the end we went with a different build system not relying on bitbucket pipelines

Don't like configuring user/password in plain text for either each repo or on a global account just to satisfy the pipeline.

I want credentials to be hidden for even the project members, it's on a need-to-know basis and not every project member needs to have push rights to Artifactory hence they should not have access to the credentials.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events