I'm managing a GitHub organisation, with multiple repositories running actions on release tags that generate a release for the repo.
I've started modifying the actions to upload the releases to a common Release repo to keep them all in one place, with the ncipollo/release-action github action, using a Basic token with the "repo" permission to upload.
I like to start using fine grained permissions instead but haven't been able to figure out the permissions needed. Have tried with:
Read access to metadata
Read and Write access to deployments
but that fails.
Anyone know the correct permissions to use? Thanks.
nb. All repositories are private
Tried using the "Read and Write access to deployments" permission, but the upload fails.
And of course, I sorted out the issue shortly after posting...
The correct permission to use is "Contents" which covers "Repository contents, commits, branches, downloads, releases, and merges."
Related
I want to use git hub API like octokit.rest.repos.createUsingTemplate to create a repository. But instead of creating repo directly, I want a request to be raised to ADMIN. Once ADMIN approve the request, then only the repository will be created. Is there a way to do it?
I used octokit.rest.repos.createUsingTemplate directly. But instead I want repo creation should go via an approval process.
There is no way to do that and prevent repos from being created through normal means.
What you could do is look into GitOps for these kinds of things. GitOps is a method where you use git (or GitHub) events to t
trigger processes.
You could for example let users create an issue in a repo requesting the new repo, and have an admin approve that request by labeling the issue (something only someone with triage or up rights can do).
Keep in mind that this will not directly disallow repos from being created the normal way.
There is a setting at the org level to prevent users from creating repos though, so together this could give the intended result.
I just signed up for GitLab, after learning about this cool feature where you can import your GitHub repositories and keep the two in sync. The import feature seems simple enough, but I paused when I got to the step where I authorize GitLab to my GitHub account. Why does it need so many permissions? Some make sense to me, others not so much. Specifically:
Personal user data
Full access
This application will be able to read and write all user data. This
includes the following:
Private email addresses
Private profile information
Followers
I understand why it needs to read and write to all public and private repository data. It's moving all that data to GitLab, and it needs to write to keep it in sync. What I don't understand is why it needs write permissions to my email and profile information?
I know that GitLab is a reputable company that didn't just pop up yesterday, but I am still wary when giving full access permissions to any service. If someone could help me understand, that would be appreciated.
You have two options when migrating a repository from GitHub to GitLab. You can migrate using only the url, in which case what you’ll have on GitLab is more similar to what you’d get if you simply added an additional remote in the repo - the full repo will be there, but everything specific to GitHub - the pull requests, comments, issues, etc, as well as all users tagged or participating - will be lost.
Alternatively, you can use the GitHub importer. This option fully migrates the GitHub repo to GitLab, setting up the GitLab equivalents of GitHub features (pull requests become merge requests, etc.). And part of this involves assigning users to each comment, mention, PR, etc.
From the gitlab docs:
When issues and pull requests are being imported, the importer attempts to find their GitHub authors and assignees in the database of the GitLab instance. Pull requests are called merge requests in GitLab.
For this association to succeed, each GitHub author and assignee in the repository must meet one of the following conditions prior to the import:
Have previously logged in to a GitLab account using the GitHub icon.
Have a GitHub account with a public-facing email address that matches their GitLab account’s email address.
GitLab content imports that use GitHub accounts require that the GitHub public-facing email address is populated. This means all comments and contributions are properly mapped to the same user in GitLab. GitHub Enterprise does not require this field to be populated so you may have to add it on existing accounts.
So yes, these are required if you want the full GitHub mirror or migration. If you just want the git repo contents, use the import from url tool, and the requirements will be much less extensive.
The project I'm working on currently deploys our private node packages via github packages. Our current workflow is for each developer to create and maintain their own personal access token, and then we use a central account's PAT for automation in AWS.
I was wondering if it's possible to authenticate with github packages without the use of Actions or PAT's?
As of 2022-07-30
No, it is not possible to use github packages without a personal access token (PAT):
It is not possible to upload without a PAT (which makes sense as it prevents random people to upload binaries to your package repo);
It is not possible to download without a PAT (not even publicly available packages can be used);
As early as 2019-10-20, people have requested github to remove PATs as a requirement for mainly downloading public packages.
The idea is that users of libraries should not need to have a github account to access a developer's package.
Sadly, the request for pat-less package downloads was not granted by Github to this day.
If you want a package registry without a hassle, it might be wise to look for other registries, such as MavenCentral or JitPack (not necessarily meant for node packages),
or host a service yourself.
I even had to link a cached webpage, as the original question has been removed from Github community along with a bunch of related questions.
Another question on github, stating pat-less access to packages is still on the roadmap for "fall 2021" is here.
I could not find what the current status of this feature is.
Edit: It is possible to download binaries without a PAT for public repositories using jitpack.io. Jitpack builds the given jar/aar on their servers.
You can add jitpack as a repository to your build system, and use the jitpack-specified URL to reference releases, branches, or specific commits.
Sadly, there is no way to refer to packages (yet).
However, this system allows your users to use your code without needing PATs nor a Github account.
I'd like to offer an alternative.
You may use a Gradle plugin of mine (magik, I was exactly in your shoes) to easier the consumption of artifacts from your Github Packages for Gradle clients.
It require you to save your read-only PAT on the repo itself, so that the users don't have to deal with any authentication (apart using the plugin above mentioned)
We are hosting some repository on GitHub, some other on GitLab.
Sometimes, the package is published but not the source code.
We always display build status and code coverage in README.md.
Is there a way to have build and coverage badge on GitLab always accessible to anonymous?
Since release 11.4.8 of Gitlab it's not possible to expose project's Badges through a Personnal Access Token anymore. Because of the change "
Restrict Personal Access Tokens to API scope on web requests."
The commit that removed this "workaround" was published as a security fix
An ongoing issue is currently being discussed to find another solution. Let's see how it goes.
That was followed by issue 13324
It includes:
FYI, I have a workaround for this using the GitLab API.
It assumes you have created a token in GitLab for a user (Note: That "user" needn't necessarily be Human - my use case is to display a badge on a dashboard hosted on a different VM).
<img src="https://<gitlab-uri>/<namespace>/<project>/badges/<branch>/build.svg?private_token=<token>
Update Dec. 2018: This is no loger possible through a token (see Paul B.'s answer).
This is because of "Improper Enforcement of Token Scope":
The GitLab web interface was vulnerable to an authorization issue that allowed access to the web-UI as a user using their Personal Access Token (PAT) of any scope.
The issue is now mitigated in the latest release and is assigned CVE-2018-19569.
But...:
Updated: 2018-11-28: We have received reports that this change has impacted how repo files and job artifacts are downloaded for some users.
For instructions on how to do so through the API, please see our support issue.
And you also have a current workaround which repeats the API access:
It is possible to add the project avatar to the project repository with a particular filename (logo) and then this file will be used for the avatar. There is an example here:
https://gitlab.com/issue-reproduce/project-avatar-repo
You'll be able to retrieve the files through the Repository Files API:
https://docs.gitlab.com/ee/api/repository_files.html#get-file-from-repository
Example:
https://gitlab.com/api/v4/projects/issue-reproduce%2Fproject-avatar-repo/repository/files/logo.png?ref=master
If I try to click the “flip switch” next to a new repository in my Travis account, the flip switches but the hooks are never configured and I cannot trigger a build in Travis.
If I look at the console, I can read the following error:
XMLHttpRequest cannot load https://api.travis-ci.org/hooks/123456. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://travis-ci.org' is therefore not allowed access. The response had HTTP status code 500.
This may be linked to my GitHub organisation having activated third-party applications restrictions. Yet, all my previous repositories still build fine, and it's been weeks!
How can I start building a new repository in my Travis organisation account?
This is indeed linked to your organisation having third-party application restrictions, or “third-party whitelisting”.
You may not detect the problem at first since your current public repositories still receive web hooks, so it may be weeks before you get issues with Travis, and the connection with activation may be long lost in your mind.
So, now you've figured out these weird CORS/500 are linked to third-party application restrictions, you need to grant access to Travis again. But how? Travis has already been allowed access and won't ask you again for it upon login!
You have to go to your own user-approved application list in your GitHub profile, and click “View” next to the Travis-CI listing.
If you scroll down, you will get an “Organization access” listing. Your restricted organisation should be listed here, with a cross next to its name. Click “Grant access” to allow Travis into your org.
Everything should be in order now, and you should be able to activate Travis for your repo! You will just need to trigger a build by pushing a new commit after having “flipped the switch”.