cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon Shopify

[Feature]: Ability to run a build without Authorization OR Scoped Authorization tokens

Open darrynten opened this issue 9 months ago • 2 comments

What area(s) will this request affect?

Other

What type of change do you want to see?

New feature

Overview

As per #4712 many people are not unable to upgrade past 3.68.0 due to newer versions breaking CI environments.

The suggested fix is to add a very broad auth token to the CI environment, however if this token is in place then anyone can make any changes they want to an organisations partner account in an automated way just by opening a simple pull request.

We want either (a) the ability to run npm run shopify app build without Authorization token like we could <=3.68.0 or (b) the ability to generate strictly scoped tokens, i.e. a token with only the build permission.

As it stands it's way too risky to upgrade the CLI past v3.68.0 with the proposed "fix" since it's possible to modify anything you want on a partner account with just a single pull request.

Motivation

Stuck on 3.68.0 since we cannot run crucial CI workflows on higher versions without risk to the organisations partner account

darrynten avatar Apr 01 '25 02:04 darrynten

If you don't want to use your main Org token in CI, there is a workaround for this:

  • Create a dummy Partners organization
  • Create a token for that organization
  • Use that token in CI

isaacroldan avatar May 06 '25 16:05 isaacroldan

I don't think the main problem here is the lack of workarounds, a more appropriate response to this and the "closed" linked issue would be a clarification on why the dance around this breaking change is needed and what kind of value this change is supposed to provide to developers. Otherwise it will continue to be treated as a bug and people will try to fix or report it. As a developer, I expect to be able to build my software in my preferred environment, with / without access to secrets or even a network connection, if that obvious expectation can't be satisfied, a helpful response will at least need to contain the reasoning behind the change, not just workarounds or hacks.

rmtngh avatar May 06 '25 17:05 rmtngh

This issue seems inactive. If it's still relevant, please add a comment saying so. Otherwise, take no action. → If there's no activity within a week, then a bot will automatically close this. Thanks for helping to improve Shopify's dev tooling and experience.

P.S. You can learn more about why we stale issues here.

github-actions[bot] avatar Jun 18 '25 03:06 github-actions[bot]