staged approval customization / api

[theoephraim]

🏷️ Discussion Type

Product Feedback

Body

Thanks for getting out staged publishing. Adding that final check isolated from CI is an important step.

I'd like to implement my own staged approval workflow - for example going through some kind of audit, and then having multiple users sign off, using my own 2fa requirements. I'm fine with being responsible for the security around this - the important part is that it is isolated from CI, which is more easily compromised. If I understand correctly, I can sort of do this if I use a read-write token and send along a generated OTP with the stage approve cli command. A few problems with this:

• this is all still attached to a specific user, which could be a bit misleading, when it will be a more automated actor
• I don't really want to create a read-write token that can do anything else, I just want it to be able to approve staged publishing
• currently users can only have a single OTP 2fa secret attached to their account, so I'd have to reuse the same secret I normally use for login
• Ideally I'd force the approvals to go through my custom process, not allow any collaborators to publish OR my custom workflow
• read write tokens are only valid for max 90 days, which would be very annoying

A few ideas that might help:

• allow creating a new type of api key (or a new setting) that is only usable to list and approve staged publishing, these should be allowed to be valid indefinitely
• provide webhooks for staged publishing events
• allow further limiting policy around who can approve staged publishing

One specific implementation would be allowing creating a new staged approval key that is attached to a specific package or to a scope rather than a user. Probably ok if there's only 1 at a time. Existence of this key could then disable approval by any users. Additional IP restrictions like on normal keys might be nice.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐