Comments (8)
You still can use http to clone repos when GH:E is in private mode. It would only require an oauth token with the right privileges. Using oauth tokens is easier to manage, since you don't have to add the deploy key to every repo, and probably more secure, since revoking access only requires you to remove the grant for the token in your organization.
from gitness.
yes, we can definitely alter our approach to use the github oauth token. In this case I think we'll want to generate a .netrc
file to store the credentials in the container. This would allow an individual to clone multiple private repositories as part of their build script without embedding credentials in the .drone.yml
file.
we need to rework our git logic anyway to support caching:
#147 (comment)
from gitness.
I wanted to document a conversation I'm having on our mailing list. It looks like GitHub now offers admin:repo_hook
which means we can probably re-think our scopes and require much less invasive permissions.
I think we should use these scopes:
admin:repo_hook -> this allows us to write hooks to the repo
repo:status -> this allows us to write the build status to github
user:email -> this allows us to retrieve the user details, including the email
We wouldn't be able to add an SSH key to the repository with the above scopes, however, this would be resolved (as mentioned above) by using the OAuth token to clone the repository, using the https
address:
git clone https://<token>:[email protected]/owner/repo.git
I believe the .netrc
will still be very important. We'll need to ensure we can clone private dependencies (when using things like go get
, for example). We'll need to account for this when generating our build container.
We'll also need to add the username/password to the build.Builder.Repo
somewhere in the queue (I think).
I'm modifying the title of this issue to reflect the revised goal and solution
from gitness.
Maybe I spoke too soon... It looks like to clone a repository we still need to request the repo
scope, which requires read/write access to a repository.
I see GitHub has been doing a lot of work to add more fine-grained scopes. @calavera are there plans to create a scope that can clone a repository without requiring write access? something like repo:read
?
from gitness.
Yes, the lack of a repo:read
scope was the main roadblock I ran into when I was investigating this. Having that scope would be very useful.
AFAIK, the only way right now to clone a private repository without also requiring write access was to create a "machine user" with read-only permissions to the repository, which was the workaround I suggested on the mailing list. Unfortunately this user cannot create commit status and repo hooks on the organization's private repos.
from gitness.
Yep, the GitHub team has clearly been putting a lot of effort into security and scopes, which is awesome. I wouldn't be surprised if repo:read
was on their roadmap. Hopefully @calavera has some inside information he can share :)
from gitness.
Would it be possible to let the user choose public_repo
instead of only repo
? I don't need drone.io for my private projects.
from gitness.
fixed by #1511
from gitness.
Related Issues (20)
- [BUG] Unable to import repository from GitHub when branch name is not 'main' HOT 6
- Drone pipeline converter cache/memorizer? HOT 3
- gitness support k8s runner HOT 3
- secrets doesn't works HOT 1
- Libsql Support for HA SQLite Database HOT 1
- Can't import Github Repo to Gitness HOT 1
- feature req: radicle backend support HOT 1
- Feature Request: Support ghcr packages in addition to docker hub
- How to deloy it offline, start up fail. could not populate plugins | error=could not download remote zip: could not get zip from url: Get "https://github.com/bradrydzewski/plugins/archive/refs/heads/master.zip": unexpected EOF HOT 4
- Working example of YAML templates?
- docker git clone fatal: unable to update url base from redirection HOT 2
- Error occurred during building the project using Docker. HOT 1
- Drone template extension invalid with .yaml and .yml
- No idea what to do to get token to get started with import for the quickstarter. HOT 3
- Increase character limit for storing secrets HOT 3
- 【pipeline】使用pipeline示例模板或自定义模板为什么总是第一步要执行clone HOT 1
- Feature request of running a build on a seperated node
- Drone use PAT owner account for git commit HOT 1
- Cannot use expression variables in pipeline HOT 2
- feat: is it possible to recreate frontend(web) with nextjs? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitness.