I have written a GitHub app that requests permissions for all repository contents.
The app basically reads a spec file that I created in order to do some custom logic.
The spec file can be located in any folder that the installer wants and therefore I ask for the elevated permissions.
For security reasons, I need the Github App to only have permissions to the specific file and not the entire repository contents.
Let's say I have 2 installations:
Installation one will request permissions just to some/path/to/folder/service.yml
Installation two will request permissions just to service.yml
I couldn't find any way to do so, not in the api of the installer, and not at the GitHub app level.
I thought about some workarounds using symlinks but it does not satisfy the requirement.
Related
I'm in a very frustrating situation where we are trying to clean out a large amount of data in a TFVC repo on an Azure Devops Server installation. I am a domain admin, I am the SQL server admin, and an admin anywhere I can find throughout Devops.
Yet, I had multiple issues trying to delete the top level folders out of the repo due to needing Read or Commit permissions. So, I managed to navigate through all the different levels of folders and identify a few folders/files where inheritance was turned off and I didn't have permission, so I added myself, and voila was able to delete the folder/file.
However, I have one folder left that refuses to let me delete it. It tells me I need Commit permissions on the folder. There are no other folders/files under this folder that are visible.
I've searched high and low for anything that would let me "take ownership" or some how override these permissions that are possibly buried under this folder somewhere. I suspect maybe there is a deny or broken inheritance under this folder that prevents me from even seeing the data.
Is there anyway to gain access to this and delete this folder?
The project I'm working on currently deploys our private node packages via github packages. Our current workflow is for each developer to create and maintain their own personal access token, and then we use a central account's PAT for automation in AWS.
I was wondering if it's possible to authenticate with github packages without the use of Actions or PAT's?
As of 2022-07-30
No, it is not possible to use github packages without a personal access token (PAT):
It is not possible to upload without a PAT (which makes sense as it prevents random people to upload binaries to your package repo);
It is not possible to download without a PAT (not even publicly available packages can be used);
As early as 2019-10-20, people have requested github to remove PATs as a requirement for mainly downloading public packages.
The idea is that users of libraries should not need to have a github account to access a developer's package.
Sadly, the request for pat-less package downloads was not granted by Github to this day.
If you want a package registry without a hassle, it might be wise to look for other registries, such as MavenCentral or JitPack (not necessarily meant for node packages),
or host a service yourself.
I even had to link a cached webpage, as the original question has been removed from Github community along with a bunch of related questions.
Another question on github, stating pat-less access to packages is still on the roadmap for "fall 2021" is here.
I could not find what the current status of this feature is.
Edit: It is possible to download binaries without a PAT for public repositories using jitpack.io. Jitpack builds the given jar/aar on their servers.
You can add jitpack as a repository to your build system, and use the jitpack-specified URL to reference releases, branches, or specific commits.
Sadly, there is no way to refer to packages (yet).
However, this system allows your users to use your code without needing PATs nor a Github account.
I'd like to offer an alternative.
You may use a Gradle plugin of mine (magik, I was exactly in your shoes) to easier the consumption of artifacts from your Github Packages for Gradle clients.
It require you to save your read-only PAT on the repo itself, so that the users don't have to deal with any authentication (apart using the plugin above mentioned)
I am managing a mostly static site through GoDaddy.
The site is a React single page application, that is still currently under development, and that occasionally needs content updating. The project folder is hosted as a public git repository.
My goal is to be able to automate the process of updating the site. Currently I need to:
npm run build
navigate to the build folder in windows file explorer
navigate to the public html folder in cpanel, in my web browser
delete the current build files
upload the contents of the build files into cpanel, folder by folder (cpanel will not allow me to upload subfolders)
I have looked through countless forum posts, and blogs, etc to find a way to automate this, but I always end up doing it manually.
You need to investigate using continuous deployment (CD/CI) and using a different hosting setup. Unfortunately, the type of platform that you use (with CPanel) is limiting and is not really oriented at your use case.
However, CPanel does have an option to use Git version control to manage the files and folders in your account. Go into this option and say "Clone repository", where you'll have to link a repo and say where it should install. Note: It is possible that your hosting provider has disabled this feature.
I suspect that this CPanel feature does not automatically pull in changes when you update the repo, so you would probably still need to manually clone the repo again when you make changes (which is still easier than copying files over). Also note that any data you store may be removed when cloning again.
Every time I publish my project my folder permissons get removed. My project requires IIS APPPOOL\appPoolName and IUSR to have specific access right to specific folders.
Whats the best way to apply the folder permissons after the artifact has been published?
Not sure if totally get your point. You can use location elements in the web.config file, there is a lot of information on the web about that - this gives you a start: HOW TO: Control Authorization Permissions in an ASP.NET Application
Besides, for folder NTFS permissions here rather than web security permissions. You could also add a custom target to Visual Studio's web publishing pipeline. For detail ways please take a look at what Sayed Ibrahim Hashimi does here.
I have a Github App set up using their v3 API. I am successfully authenticating and I can create and modify repositories. I'm trying to also attach a deploy key to a newly created repository. However, I'm getting 403: Resource not accessible by integration -- this is regardless of whether I try to read or write the keys. The app is installed on the organization, and the repository is also owned by that same org.
The api documentation gives routes for managing deploy keys: https://developer.github.com/v3/repos/keys/#add-a-new-deploy-key
But the permissions list doesn't mention deploy keys at all: https://developer.github.com/v3/apps/permissions/#permission-on-administration
I have turned on Read & Write access for Repository Administration, Repository Contents, and Repository Projects in the permissions for the app, but I'm still getting this access error.
That endpoint hasn't been enabled for GitHub Apps yet -- you can only use it with OAuth tokens currently (or Basic Auth).
I recommend requesting that this be added for GitHub Apps over on the Platform forum for Apps:
https://platform.github.community/c/integrations
That's the best place to ask questions and provide feedback about GitHub Apps (GitHub staff monitors that forum and answers questions).
I can add deploy keys with "Read and write access to administration" permission. (as of Jan 17, 2023)