I am currently trying out Netlify function and using Netlify-cli to setup the CD. In the authorizing options, I picked the GitHub Personal Access Token and I want to know if the Full control of private repositories scope will include the private repos in the organization that I am apart of as I don't want it to access the repos in the organization.
The scope has a few implications and you should probably look at a user specific role for setting up access tokens without giving access to a user (yourself) as the owner of the org repositories you have.
Create a (machine) user that has access to only the one repository or repositories (private) that would limit the access to these repositories or an organization repository. Since private tokens have read/write access this is a prudent approach to making sure you're limiting access to other repositories using the token.
If at a later time this changes on Github, this will no longer be needed. It is the approach I have used to limit my exposure to a leaked token or access.
Related
I'm reading the documentation on Scopes for OAuth Apps and it's not clear to me if it's possible to grant read access to private repos, without providing write access.
The repo scope grants full access to read and write everything. This works but it's more permissive than what we would like.
The scope public_repo is only for public repos as its name suggests, and I'm not sure if read:repo_hook is what I need or not.
What's the best suited scope for my use case of reading pull request by passing a commit hash as a parameter to Octokit?
For OAuth apps, the most granular scope is repo or public_repo, depending on whether you need access to all repositories or only public ones.
If you want more granular permissions, you need to use GitHub Apps, which also have OAuth featues (GitHub calls these user-to-server tokens):
https://docs.github.com/en/developers/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps.
GitHub Apps need to be installed by users on repositories in order to grant access, and they have a pull_request read or write permission, depending on what you need.
I have project on Github of which I need help with. It started out as a personal project and now evolved to me incorporating a company and hiring someone. How can I give this person access so that they cannot delete anything and only I will be allowed to accept their code changes or not?
This is a personal github account and the repository is private.
Since the account is a personal account, you will be the owner unless you explicitly transfer ownership. Anyone you give access to will be a collaborator. They cannot access repository settings, add or remove collaborators, or delete the repository, for instance.
However, GitHub does not provide fine-grained permission controls for collaborators of repositories from personal accounts. You cannot prevent them from having write access. This help page provides a list of things collaborators can do in the repository.
You can (partly) achieve what you want by protecting your master branch and requiring reviews for pull requests.
For more fine-grained access control, you could create an organization account and transfer the repository there, and keep yourself as the sole user with admin permissions. You can then give your collaborator only read permissions.
Objective: Allow different clients access to only read/pull from my private repo.
Overview:
Listed are the different options that I am aware of:
I could invite the clients and give them access to the Basic access level but do know what to have to pay for different users just to read/clone from the repo.
I could create a single user with Basic access level and then create git access tokens for them individually. However, I did not see a way to restrict the access tokens to be project/repo specific. Instead, the access tokens create had the same privileges as the created user.
Question: What is the best practice to provide access to an external user to only access the private Azure DevOps repo?
Note: I have seen this link and did not know if there were other options.
To make the user only have read access to all repos in one project:
You may consider making the user a reader instead of contributor or Project Administrators, so the user can have only read access to the repos in one project.
Organization Settings=>Users(General)=>Manage user=> select Project reader.
More details about project readers you can check this document.
To make the user only have read access to one special repos in one project:
We can control related permissions from Project Settings=>Repositories(Repos)=>Version Control Administrators:
Hope all above helps :)
We've set up a Github app so that it automatically forks a repository for another individual Github user using the Github API. Now we're running into a problem that not everyone wants to give us full read access to all of their private repositories since sometimes they contain sensitive data.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Unfortunately, this is not available yet. This feature is still under development as you can see in the Gihub Apps roadmap (and note that I am talking about Github Apps, not OAuth Github Apps). I don't know if this will ever be possible in OAuth Apps but it seems that it might in Github Apps.
There is already a discussion about this at the dear github repository. You should check for news there.
Is there a way to only get read/write permission to a single repository and not the individual's entire account?
Not that I know of: it is easier to setup a new dedicated GitHub account where you would recreate the private repos you want to give access to.
In that new account, you can consider all the private repos can be accessed.
You would keep the really private ones (with sensitive information) in your original GitHub account.
I believe you're looking for X-OAuth-Scopes. This is a well-defined header so that you may restrict your access scope to, for example, public repositories only.
The github developer documentation here says:
... space-delimited list of scopes. If not provided, scope defaults to an empty list for users that have not authorized any scopes for the application. For users who have authorized scopes for the application, the user won't be shown the OAuth authorization page with the list of scopes. Instead, this step of the flow will automatically complete with the set of scopes the user has authorized for the application. For example, if a user has already performed the web flow twice and has authorized one token with user scope and another token with repo scope, a third web flow that does not provide a scope will receive a token with user and repo scope.
My scenario is that I would like to list the private repositories for the user, given the organizations they grant access to. The intent is to provide status API integration.
I use the user:email scope as a form of identification in my app, so I am requesting that along with repo and read:org. I was trying to use repo:status instead of repo, but I couldn't seem to get the private repo listing that way.
So, my final set of scopes is:
user:email
repo
read:org
Is this the minimum set of scopes required, or am I missing a more restrictive combination that would work without write access to repos?
Your scopes are almost correct. You don't need the read:org scope to list organisations if you have repo.
Somewhat annoyingly, there is no scope to grant read only access to a private repo, even though there are separate read and write scopes for public ones. You can't read private repos without also allowing writing via the repo scope.
You're also right about repo:status—this scope is meant for interacting with commit statuses without being able to see the contents of the repository, for example a CI service like Travis.