You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+22-1Lines changed: 22 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -309,11 +309,32 @@ I use [nvm](https://github.com/creationix/nvm) to install different versions of
309
309
310
310
### The Continuous Integration Pipeline
311
311
312
-
The pipeline is orchestrated in [CircleCI](https://app.circleci.com/pipelines/github/mountebank-testing/mountebank)
312
+
The pipeline is orchestrated in [CircleCI](https://app.circleci.com/pipelines/github/mountebank-testing/mountebank).
313
313
314
314
Every successful build that isn't a pull request deploys to a [test site](http://mountebank-dev.herokuapp.com/)
315
315
and a beta version of the npm and Docker image.
316
316
317
+
The deploy jobs rely on an NPM [granular access token](https://docs.npmjs.com/about-access-tokens). Each package has its own token scoped to that specific package which is stored as a secret in CircleCI. These tokens will expire every 90 days and need to be renewed. To do so follow these instructions:
318
+
1. Log into NPM and navigate to the "Access Tokens" page from your profile.
319
+
2. Delete any expired access tokens.
320
+
3. Generate a new access token.
321
+
- Click "Generate New Token"
322
+
- Enter a unique name (I suggest the package name for clarity)
323
+
- Check "Bypass two-factor authentication (2FA)" (see below for more info)
324
+
- Under "Packages and Scopes" choose the "Read and write" permission
325
+
- Select "Only select packages and scopes" and select the package that will be published with the token to scope it to that specific package
326
+
- Set the expiration date to 90 days
327
+
- Click "Generate token"
328
+
- Make sure you keep the generated token available since you will only be able to view it once
329
+
4. Log into CircleCI and navigate to the project for the package you are deploying.
330
+
5. Update the access token environment variable.
331
+
- Navigate to the project settings and click on "Environment Variables"
332
+
- Click "Add environment variable"
333
+
- Enter a name of `NPM_API_KEY` with the access token from step #3 as the value
334
+
6. Find the latest `master` pipeline and re-run it. Confirm the deploy step is successful.
335
+
336
+
Allowing the tokens to bypass 2FA is necessary in order to run the deploy jobs without manual intervention (entering an OTP). The more secure way to automate deployment is through ["Trusted publishing"](https://docs.npmjs.com/trusted-publishers) which uses OIDC, but unfortunately CircleCI is not a supported provider as of November 2025.
337
+
317
338
## Releasing mountebank
318
339
319
340
Very few of you will have to worry about this, but in case you're curious, here's the process. CircleCI does most
0 commit comments