I need to create documentation giving instructions to generate a Personal Access Token that will only need to create Pull Requests on Github.
I've read the documentation describing the various OAuth scopes, but it is still not clear to me which OAuth scope(s) I need to select in order to be able create a Pull Request.
What OAuth scope(s) need to be selected for users to be able to create Pull Requests?
From https://docs.github.com/en/rest/reference/pulls#create-a-pull-request:
To open or update a pull request in a public repository, you must have write access to the head or the source branch. For organization-owned repositories, you must be a member of the organization that owns the repository to open or update a pull request.
The repos scope should be needed.
And, with the GitHub CLI gh v2.22.0 (Jan. 2023), you can search from within your local cloned GitHub repository:
See gh auth status --show-token: it will display the auth token you are using.
Related
After a quick internet search I couldn't seem to find an easy way for my Azure Pipeline to write a custom comment back to the PR that triggered it. Is this possible? Does it require a PAT? I can't use any solution that requires exposing a PAT to a external PR, as they could then easily exfiltrate it.
Sure, you can add comments to the PR on GitHub from Azure pipelines. You can use the GitHub Comment task in your pipeline to easily write comments to the GitHub PR.
With this task, you also need to create a GitHub service connection, or a GitHub Enterprise Server service connection if your repository is hosted on GitHub Enterprise Server, for use on the task.
When creating the GitHub (or GitHub Enterprise Server) service connection, you can choose an authorization method from the optional.
GitHub service connection -- Grant authorization or Personal Access Token
GitHub Enterprise Server service connection -- Personal Access Token, Username and Password or OAuth2
So, a GitHub PAT is not required if the authorization method you choose is not Personal Access Token.
[UPDATE]
If you are worrying about that the service connection would be abused by someone to attack your source code repository, you can do the following things:
On GitHub, you can create a PAT, and limit the permission scopes of this PAT. More details, see "Creating a personal access token".
On Azure DevOps, you can choose Personal Access Token as the authorization method on the service connection, and fill with the PAT that you created in above step. Then you can limit which users, teams and groups, even which pipelines, can use the service connection in the project. More details, you can see "Secure a service connection".
I am trying to add users to a private Github repo within an organisation. Starting from this post, I've simply changed the API endpoint to cope with organizations (as explained here), and I end up with the following command:
gh api orgs/MY_ORG/repos/MY_USER_NAME/MY_REPO/collaborators/COLLABORATOR_USER_NAME -f '{"permission":"maintain"}';
This command systematically returns a 404 error (note that I also get a 404 when I just try to check if a user has access to a repo, i.e. the GET version of the above command).
I also need to mention that this doesn't seem to be a trivial gh auth login issue since a command like gh repo create MY_ORG/MY_REPO works fine.
Here is also some technical details:
os: macosx 10.15.16
git: 2.24.3
gh: 1.1.0
I take the initiative to answer my own question here since after some investigations (thanks to mislav for his help) and trials and errors, I ve found the proper way to add collaborators to a GitHub repo within an organization with the CLI. I think it is worth posting it, hopefully this will help others.
Invite an outside collaborator to a repo within an organization
gh api -X PUT repos/:org/:repo/collaborators/:username -f permission=:perm
the -X PUT specifies that the request is a PUT and not a GET (default request). The repo's identifier is specified by :org/:repo (note that if the repo is not under an organization, the identifier will be :owner/:repo). The :perm argument indicates the type of access, the default value is push (see here)
So assume I want to provide admin access to jonsnow to the repo winterfell under the organization got, I will use the following command
gh api -X PUT repos/got/winterfell/collaborators/jonsnow -f permission=admin
Note that if you send an invite for the repo directly, the user will appear as an outside collaborator (not as an organization member)
Add a member to the organization and invite him to a repo
You just need to include the user as a member to the organisation beforehand with
gh api -X PUT /orgs/:org/memberships/:username -f role=:role
and then you can provide him access to a specific repo with the same command as above, i.e.
gh api -X PUT repos/:org/:repo/collaborators/:username -f permission=:perm
Note that the value for the various :role can be found here
You can set organization membership for a user
put /orgs/{org}/memberships/{username}
You can add a collaborator to a repo
put /repos/{owner}/{repo}/collaborators/{username}
But I don't think you can combine the two (add a collaborator to an org repo)
That is because that collaborator need to be a member of the organisation first (so receive and accept the invitation), before being added to a repository.
"I want to create a service connection using AzureDevOps with which we get access to only one particular repository. But when I Create service connection it will give access to all repositories present in one account"
I already tried creating a personal access token using Github. But GitHub doesn't allow to create public access token with limited repository access.
How can I generate a personal access token with limited repository access ??
When you create a new GitHub service connection, you can choose Personal Access Token like below.
Then visit https://github.com/settings/tokens to create personal access tokens and you can choose your expected scope.
In this time, I choose the public_repo scope, create the token, copy the token to Azure DevOps and create the new GitHub connection.
As you can see, there are five repositories in my GitHub, one is private and four are public.
Then in the build pipeline source, I just get the four public repositories and don’t get the private repository.
When I try to authorize Azure Devops to get access to my GitHub repositories it wants full access to everything, including:
This application will be able to read and write all public and private repository data. This includes the following:
Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
Collaboration invites
But that is to broad access to my taste, how can I just give it access to specific repositories without giving it access to everything?
Create a specific user that has the exact permissions you would grant, create an Access Token for that user to strip some of the requested permissions, don't use the OAuth flow.
Does anyone have an idea on which scope to choose when creating github token to give someone access to git clone a private repository? I tried using the repo scope but this give them full access to modify the code on github.
GitHub doesn't provide a token scope that limits access to reading private repositories. If you want to provide an HTTP token that grants read access to a private repository, you'll need to use the repo scope, which also provides access to write to the repository.
Alternately, you can let them provide you an SSH key, and you can add it as a read-only deploy key, which will restrict their access to reading data.