Merge pull request #120 from packagist/conductor-token-auth

Condcutor: explain short-lived update tokens to access Private Packagist

Author: glaubinix

Resources/public/img/docs/conductor/authentication-token.png

@@ -4,7 +4,7 @@
 Running Composer commands against Private Packagist always requires authentication.
 
 ## Different types of tokens
-Three different types of authentication tokens can be used to access Private Packagist.
+Four different types of authentication tokens can be used to access Private Packagist.
 
 ### User access token
 Every user has their own token that they can access either on the profile page or on the overview page of their organizations.
@@ -24,6 +24,11 @@ Read-only tokens are only meant to be used with an existing composer.lock file.
 If you need to run `composer update`, then either use a token with update access or your personal access token.
 Please note that you will be charged for authentication tokens with update access as if they were user accounts.
 
+### Conductor authentication tokens
+Conductor creates short-lived authentication tokens with update access for each CI run that gets scheduled. Similar to
+organization authentication tokens, access can be restricted to any set of packages which any of the organization's teams 
+has access to which can be configured when enabling Conductor for your packages.
+
 ### Private Packagist vendor customer tokens
 Every Private Packagist for Vendors customer receives their own authentication token.
 The token can only be used to install packages from the matching customer URL.
@@ -37,6 +42,7 @@ There are currently three different prefixes:
 * `packagist_ort_`: Organization tokens with read-only access
 * `packagist_out_`: Organization tokens with update access
 * `packagist_uut_`: User tokens with update access
+* `packagist_cut_`: Conductor tokens with update access
 
 This format doesn't apply to authentication tokens generated for Private Packagist for Vendors customers and older tokens that haven't been regenerated recently.
 These tokens only consist of the 60 hexadecimal character random part.

docs/composer-authentication.md

@@ -31,21 +31,13 @@ Create a new GitHub Actions workflow in `.github/workflows/conductor.yaml` of yo
 CONDUCTOR_GITHUB_ACTIONS_WORKFLOW
 
 1. Adjust the PHP Version used in the "Install PHP" step
-2. Commit and push the workflow to your main branch of your package repository
+2. Commit and push the workflow to your main branch of your GitHub repository
 
-Create a secret `CONDUCTOR_COMPOSER_AUTH` with the Composer authentication configuration [as described here](https://getcomposer.org/doc/articles/authentication-for-private-packages.md#authentication-using-the-composer-auth-environment-variable) to access Private Packagist.  
-We recommend to create a dedicated authentication token with update access. You can copy and paste the contents for the secret from the "Environment variable" tab in the Private Packagist UI while creating the token in "Settings" -> "Authentication Tokens". Remove the single quotes around the value.
-
-![Create Authentication Token](/Resources/public/img/docs/conductor/authentication-token.png)
-
-The contents of the variable should look like this:
-
-```json
-{"http-basic": {"repo.packagist.com": {"username": "token", "password": "packagist_out_73a81c..." }}}
-```
-
-Conductor needs to verify your CI setup before you can start receiving PRs.
+If your package requires access to your Private Packagist Composer repository then Conductor will automatically create
+[short-lived authentication tokens](../composer-authentication.md#conductor-authentication-tokens) to run Composer commands in your CI environment.
+Similar to organization authentication tokens, access can be restricted to any set of packages to which any of the organization's teams has access.
 
+Once the workflow is added to your GitHub repository, Conductor needs to verify your CI setup before you can start receiving PRs.
 ## Verify your CI setup
 
 - Navigate to the "Conductor" tab in your Private Packagist organization.