Comments (5)
JeroenKnoops
commented on May 29, 2024
1
Indeed, that would be a good approach.
I will try to get it working in our GitHub App / Lambda setup. ( https://github.com/philips-labs/terraform-aws-github-runner )
If I get it to work, I will create a similar PR here.
from outside-collaborators.
pattacini
commented on May 29, 2024
1
@JeroenKnoops with a second thought I could do the following: instead of propagating the information from the automated repos to the central dashboard, we can isolate the processing locally to the repositories thus without needing any PAT.
As a result, we will still need a PAT for running the main scripts in the central dashboard but, in this case, the PAT is not required to be organization-wide. Access to the dashboard is granted only to org admins.
from outside-collaborators.
pattacini
commented on May 29, 2024
Thanks for pointing out this vulnerability 👍🏻
I could actually add it up to the ⚠ Known limitations/issues section.
Do the other repositories also need a PAT with org admin rights?
A PAT with full repo scope is needed for the mentioning mechanism of the automated repos. Non-automated repos do not need any PAT, although the PAT as I've formulated the framework is organization-wide.
One could circumvent this by:
- Creating local PAT for each automated repo, but I'm afraid that the user owning the PAT should remain an org admin. Thus, the vulnerability persists. A PAT should be required even if the script responsible for mentioning would be running locally to the repo as we still need to grab information from the central repo dashboard.
- Not using the mentioning mechanism but only the centralized managing of outside collaborators.
When GitHub will provide the possibility to trigger workflows with webhooks (see FAQ), we will be able to get rid of the specific local triggering workflow.
I haven't looked into trying to fix this vulnerability outright yet; I might be fiddling with this in the next days. However, if you have suggestions, please don't hesitate to get back here!
Thanks again!
from outside-collaborators.
pattacini
commented on May 29, 2024
Another possibility to get around the PAT would be designing an equivalent GitHub App, I suppose.
from outside-collaborators.
pattacini
commented on May 29, 2024
Actually I have no experience with GitHub Apps, so that would really help out.
from outside-collaborators.
Related Issues (20)
- Empty groups are not handled correctly
- Action breaks when a user is invited more than once HOT 2
- Add Host-coreboot.yml to repos directory and add coreboot users HOT 3
- Failed when managing archived repos
- Deleting a file from repos does not trigger a proper cleanup HOT 4
- Validate outside collaborators role before changing permissions HOT 14
- check-automated-repositories does not warn that an user has been manually removed HOT 2
- Comments within yaml file of group members HOT 5
- Handle Rate Limit HOT 5
- Judge the possibility to keep previous invitations
- Add collaborators to a list of repos HOT 5
- Extend the mentioning mechanism to discussions HOT 1
- Send out fresh invitations HOT 1
- Duplicate entries break the update scripts. HOT 12
- Github action still seems successful even if collaborators weren't added HOT 1
- Rate limiter not handled correctly for paged services
- Rate limit exception got at a safeguarded seemingly single operation HOT 5
- Mentioning Breaking - Need Info HOT 8
- GH handles with wrong case are not added up
- PR are not actually checked
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from outside-collaborators.