Comments (16)
jasonm
commented on June 19, 2024
cc @jtimberman @freeformz @cbeams re our Twitter conversion about this.
from clahub.
jasonm
commented on June 19, 2024
cc @ryanbrainard did we discuss (GitHub OAuth scope granularity) this yesterday? If so, do you know anything about it?
from clahub.
jasonm
commented on June 19, 2024
I've contacted GitHub support to ask if we can have a public_repo:status OAuth scope.
from clahub.
jasonm
commented on June 19, 2024
Also curious if @roidrage of @travis-ci, @dlowe of @circleci, or @semipermeable of @tddium know anything about this? Sorry for the CCfest, feel free to de-watch, but I heard this is a feature GitHub is reticent to add (hope I'm super wrong about that π ) so I'm eager to either (1) see that this convo exists already somewhere or (2) get it started.
from clahub.
jasonm
commented on June 19, 2024
Interesting: I have verified that only the public_repo scope is necessary, and that it gives authorization to update commit status for public repos. I'll fix accordingly.
from clahub.
jasonm
commented on June 19, 2024
Side note: possibly clarify GH docs if that'd be helpful. github/developer.github.com@77c7f3c#commitcomment-2465391
from clahub.
jasonm
commented on June 19, 2024
No more private repo access:
from clahub.
cbeams
commented on June 19, 2024
Thanks for such a quick turnaround on this, @jasonm. I'll just mention that it may continue to be concerning to users when they see that ClaHub can update commits in public repositories. I'm still not sure myself whether this is actually something that ClaHub needs permission-wiseβI would think it needs only access to Issues (and therefore Pull Requests). Perhaps I'm missing something, or perhaps this is just as fine-grained as GitHub's OAuth scopes can go?
In any case, can you verify whether ClaHub would ever actually "update commits" in a repository that uses it. And if so, why?
from clahub.
jasonm
commented on June 19, 2024
Thanks for pushing on this Chris, very good point.
CLAHub creates "commit status" updates to indicate pass/fail at a
per-commit granularity with the
http://developer.github.com/v3/repos/statuses/ API.
GitHub itself actually rolls up the commit statuses to determine the status
of a pull (e.g. Each commit in the pull must pass, otherwise the whole pull
is failed.)
It could indeed suffice with a reduced oauth scope for only modifying the
status of commits on a public repo, but this scope doesn't exist in
GitHub's API.
CLAHub has no need to modify the contents of commits, only to set commit
status.
I'll follow up with GH.
On Sunday, January 20, 2013, Chris Beams wrote:
Thanks for such a quick turnaround on this, @jasonmhttps://github.com/jasonm.
I'll just mention that it may continue to be concerning to users when they
see that ClaHub can update commits in public repositories. I'm still not
sure myself whether this is actually something that ClaHub needs
permission-wiseβI would think it needs only access to Issues (and therefore
Pull Requests). Perhaps I'm missing something, or perhaps this is just as
fine-grained as GitHub's OAuth scopes can go?In any case, can you verify whether ClaHub would ever actually "update
commits" in a repository that uses it. And if so, why?β
Reply to this email directly or view it on GitHubhttps://github.com/jasonm/clahub/issues/17#issuecomment-12487647.
Jason Morrison
415.297.6376
@jayunit http://twitter.com/jayunit
skype:jason.p.morrison
from clahub.
jasonm
commented on June 19, 2024
Followed up.
from clahub.
jtimberman
commented on June 19, 2024
π€ thanks @jasonm!
from clahub.
jasonm
commented on June 19, 2024
To update, we're currently using the least permissive ("best") GitHub OAuth scope we're able to.
from clahub.
cbeams
commented on June 19, 2024
Thanks, Jason!
On Feb 17, 2013, at 1:07 AM, Jason Morrison [email protected] wrote:
To update, we're currently using the least permissive ("best") GitHub OAuth scope we're able to.
β
Reply to this email directly or view it on GitHub.
from clahub.
jasonm
commented on June 19, 2024
Thinking more on this, we only need this scope for people who make agreements. People who are signing agreements really only need their identity provided by GitHub, so we should be able to only ask for the (no scope) "Public read-only-access" GitHub OAuth scope. I've added a new issue #54 for this. I'll keep this issue #17 open in case there's ever a public_repo:status scope, which would be the ideal (most restrictive) scope for people who create agreements.
from clahub.
ferventcoder
commented on June 19, 2024
Can this be closed? #101 (comment)
from clahub.
genevec
commented on June 19, 2024
Yup. Closing! See #101.
from clahub.
Related Issues (20)
- Project owner should not need to sign CLA for status to pass HOT 3
- Detect renamed repositories automatically HOT 5
- CCLA Support HOT 2
- How can I contribute to translate clahub to my main language? HOT 2
- Build status not set
- I moved a repository on GitHub, but now things seems to not work anymore HOT 5
- Insecure downloads and other links
- API for fetching signatures HOT 4
- Owner transfer error; data lost?! HOT 1
- Update account shown when signing into GitHub HOT 2
- Issue with CLAHub when updating the CLA
- Allow changing CLA form fields after agreement is created
- "We're sorry but something went wrong" when trying to sign CLA HOT 5
- How do I remove CLA Hub from a project. HOT 2
- Available repository isn't showing up in list for new agreement HOT 2
- Add GitHub topics to this repo
- Transfer ownership back to organisation
- Printing or PDF
- Make signatories verifiable when exporting list
- CLAHub is down? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clahub.