Héctor Ramos aae3a7816e Use one time password when publishing to npm (#20701)
Summary:
This pull request addresses the failing publish-npm.js script from earlier this week. For background, last month we reset all npm access tokens for any package related to Facebook, and we now require all accounts with publish permissions to have two factor enabled.

The publish-npm.js script relied on one such token that is configured in Circle CI as a envvar. The token has been updated in Circle CI, but we now need a way of passing the one time password to npm.

With this PR, we can now grab the otp from Circle CI's envvars. Considering otps are ephemeral, this requires the NPM_CONFIG_OTP envvar to be set by someone with publishing permissions anytime a new release will be pushed to npm. The token is short lived, but it would still be good to clear the envvar after the package is published. Circle CI envvars are not passed on to PR/forked builds.

This PR is effectively a breaking change for the release process, as the publish step will not succeed if the OTP is not valid.

OTPs are short-lived, and the publish_npm_package job will definitely outlive the token. Unfortunately this will require some timing to get right, but the alternative is to ssh into the Circle CI machine and re-run the `npm publish --otp` command, which again would still require someone with publish access to provide the otp.
Pull Request resolved: https://github.com/facebook/react-native/pull/20701

Differential Revision: D9478488

Pulled By: hramos

fbshipit-source-id: 6af631a9cb425271b98c03d158aec390ebc95304
2018-08-22 23:32:27 -07:00
..
2018-06-28 14:17:38 -07:00
2018-08-03 13:32:49 -07:00
2018-02-16 18:31:53 -08:00