badges/shields

Badge request: GitHub Package Registry, NPM variants

Open

#3608 opened on Jun 25, 2019

View on GitHub
 (8 comments) (23 reactions) (0 assignees)JavaScript (22,337 stars) (5,423 forks)batch import
good first issueservice-badge

Description

:clipboard: Description

Recently, GitHub has launched a new beta feature: the GitHub Package Registry (GPR)! :tada:

It currently supports alternative registries for NPM, Docker, Maven, NuGet, and RubyGems. For this issue, I would like to focus specifically on the NPM registry variant of GPR.

Ideally, Shields would support GPR support for all NPM-based badge URLs, including those that start with /npm/, /node/, /jsdelivr/npm/, /snyk/vulnerabilities/npm/, etc.

:link: Data

As far as I know, the GitHub Package Registry for NPM supports all of the usual NPM Registry API endpoints (as it is fully compliant with the NPM CLI). This might lead one to believe that we could make use of the registry_uri query param that is available on some of the NPM services, e.g. https://img.shields.io/npm/v/@octokit/webhooks.svg?label=GPR&logo=github&registry_uri=https%3A%2F%2Fnpm.pkg.github.com (→ https://github.com/octokit/webhooks.js/packages)

However, the GitHub Package Registry's API does not support anonymous access, and so that approach fails with 404 responses.

Looking through the Shields code for the npm-base service, I see there is already support for a Bearer token, so I believe you could establish a new set of /npm-equivalent URIs for a separate instance of the npm-* services with a GitHub Personal Access Token (PAT) as the Bearer token (npm_token).

However, you may instead want to consider modifying the code to detect when registry_uri is set to https%3A%2F%2Fnpm.pkg.github.com and use an alternative secret name like gpr_token. This may feel less clean but it should still require minimal changes and would prevent the need to add and maintain alternative URLs — instead just ensuring that the support for registry_uri is available on all NPM-related endpoints.

:microphone: Motivation

GitHub Package Registry is likely to become a popular alternative to the NPM registry due to its focus on security, traceability, and mandatory package @scope. If a package author chooses to publish their packages to both GPR and NPM, then they could just get badges using the existing NPM endpoints. However, if they only chose to publish to GPR, then the existing endpoints will not suffice.

Contributor guide

Tech stack
javascriptnodejs
Domain
apideveloper experience
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Node.jsHTTP Bearer tokenShields npm base code
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
45
Research direction
Investigate the npm base.js service at services/npm/npm base.js to see how Bearer token authentication is currently implemented (lines 80-82). Determine the best way to detect when registry uri is set to npm.pkg.github.com and use a new secret (gpr token) instead of the default npm token. Consider modifying all npm related services (npm, node, jsdelivr/npm, snyk/vulnerabilities/npm) to support this. Refer to the existing code structure and potentially consult maintainers for the preferred approach.