Is it possible to tell if a release which is published on a GitHub repo was made by someone who logged in with 2FA?
The reason for asking is that we have a tool that integrates GitHub releases (from repos made by other people, ie not part of our GitHub organisation) into an application, and is capable of auto-updating to the latest release.
Although it's user friendly to auto-update, if someone were to steal the credentials of that GitHub user (because they do not use 2FA) then the auto-update could end up installing maliciously crafted code. This scenario has happened to npmjs.
It would be useful to be able to identify that the release was made by someone who does not use 2FA and warn that the release might be "unsafe".
Our application is part of Qooxdoo http://www.qooxdoo.org, which is an open source Javascript development framework.
Related
The project I'm working on currently deploys our private node packages via github packages. Our current workflow is for each developer to create and maintain their own personal access token, and then we use a central account's PAT for automation in AWS.
I was wondering if it's possible to authenticate with github packages without the use of Actions or PAT's?
As of 2022-07-30
No, it is not possible to use github packages without a personal access token (PAT):
It is not possible to upload without a PAT (which makes sense as it prevents random people to upload binaries to your package repo);
It is not possible to download without a PAT (not even publicly available packages can be used);
As early as 2019-10-20, people have requested github to remove PATs as a requirement for mainly downloading public packages.
The idea is that users of libraries should not need to have a github account to access a developer's package.
Sadly, the request for pat-less package downloads was not granted by Github to this day.
If you want a package registry without a hassle, it might be wise to look for other registries, such as MavenCentral or JitPack (not necessarily meant for node packages),
or host a service yourself.
I even had to link a cached webpage, as the original question has been removed from Github community along with a bunch of related questions.
Another question on github, stating pat-less access to packages is still on the roadmap for "fall 2021" is here.
I could not find what the current status of this feature is.
Edit: It is possible to download binaries without a PAT for public repositories using jitpack.io. Jitpack builds the given jar/aar on their servers.
You can add jitpack as a repository to your build system, and use the jitpack-specified URL to reference releases, branches, or specific commits.
Sadly, there is no way to refer to packages (yet).
However, this system allows your users to use your code without needing PATs nor a Github account.
I'd like to offer an alternative.
You may use a Gradle plugin of mine (magik, I was exactly in your shoes) to easier the consumption of artifacts from your Github Packages for Gradle clients.
It require you to save your read-only PAT on the repo itself, so that the users don't have to deal with any authentication (apart using the plugin above mentioned)
i am interested in building a github app. reading through github Setting up your development environment to create a GitHub App documentation it explains that a github app is based on a http server which will handle webhooks.
yet, on every github app i installed, the app\installation did not require anything that involves hosting and/or creation of http server in order to deploy the app to my github accout.
for such github apps, which are installed directly through the github marketplace (you can take probot stale and rennovate as examples for such apps)
where do these application run? (e.g.; does github deploys the app on a dedicate (virtual) server?).
what are the resources limitations for such apps (amount of memory, cpu, etc.?)
how can the github app logs be accessed by the github account owner who installed such app?
links for reference and an answer will be great.
GitHub App is just another app that you create. GitHub apps are treated as first-class citizens when it comes to integrating with GitHub. One can use Nodejs , Ruby, etc to build the App. Once the app is ready it can be hosted on a Server just like any other server hosted apps. You register your app on GitHub by providing relevant details.
So, coming to your questions.
The Apps can run on any hosting service of your choice. It can be a Windows Server, Heroku, etc.
I believe it is only limited by the resource of your server or the hosting service provider that you chose. However you might be ineterset in erading more about the Rate Limit More on Rate limits here.
GitHub app logs are something which only the developer will be able to see. To the end user ,i.e. the repo owner who installed the GitHUb app on his repos, all that will be available are the checks , statuses and any other details that the developer of app decided to display.
A very handy guide on Deployment and other details : Probot Documentation. This documentation is great if you are planning to use the probot framework for developing your github apps, but most of the instructions still stand true in case you decide to pick up a different tech stack.
The most important thing to realise about a (so-called?) Github App is that the App itself does not run anywhere - or at least that is what I would argue. Basically Github Apps are two linked mechanisms, both a bit of infrastructure. The first of these mechanisms is access control, essentially replacing use of user PATs - you can give relatively fine grained access to repos that the App is installed in, rather than just giving access to all repos the user can access. The second mechanism is that of webhooks - generating events as requested.
What Github Apps do not directly provide is the bit between this - handling the webhooks and generating API calls using the App for access. Basically you are on your own and need to do it yourself. The plus, #asif-kamran-malick mentioned, is that you have freedom to implement it how you see fit.
One alternative possibility is that the App itself, rather than setting to handle ongoing Webhooks, runs on installation and looks to add Actions into the repo. Never done it, but some of the github examples seem to work this way. Of course, Actions are run within Github environments and are potentially subject to resource limits. Apart from this though, Actions are a completely separate "beast" and should not be confused.
I'm about to embark on an HTML remediation project. My client is using Bitrix as a task/issue tracker, but isn't currently using anything for Source/Version control.
I've searched up 'Bitrix' and assume that they mean 'Bitrix24'.
Is there a Version Control system which integrates with Bitrix24?
I'd like:
To be able to browse to Version Control from within the Bitrix interface
To link to commit hashes, line numbers and (release) tags from within Bitrix tasks/issues
To use Git rather than SVN
Bitrix has no such feature out from the box - see old topic on Bitrix support forum - https://www.bitrix24.com/support/forum/forum47/topic10287/
I think it is because of CRM-nature of the Bitrix.
You could link your task/issues in Bitrix with commits in GitLab/Bitbucket using third-party hooks:
for GitLab - https://github.com/lolweb/bxGitlab
for BitBucket - https://github.com/Web-LLC/bxGitlab
You could also try to link GitHub commits using Zappier + Bitrix24 free Zappier integration App https://www.bitrix24.com/apps/?app=b24io.zapieren
I have not used them, so don't know if they really work.
Also Bitrix24 has API https://www.bitrix24.com/apps/dev.php to build any integration, but it is a lot of work.
I have seen couple of Github profiles having "Developer Program Member". I searched on Google a lot but not able to find how people get that in their profile.
This is for developers registered to the GitHub Developer Program (like this GitHub profile, for instance)
Membership is open to individual developers and companies who have:
A paid GitHub.com personal or organization plan
(since 2019, you don't need a paid membership anymore)
An integration in production or development using the GitHub API
An email address where GitHub users can contact you for support
That allows for:
Staying in the know:
Be the first to know about API changes and try out new features before they launch.
Scratching an itch
Build your own tools that seamlessly integrate with the place you push code every day.
Taking on the enterprise
Obtain developer licenses to build and test your application against GitHub Enterprise.
By joining this Developer Program,
1) You'll receive ongoing notifications about changes to Github API.
2) You can request a development license for GitHub Enterprise.
3) You can also submit your work for consideration on the integrations page.
Go to this link:
https://developer.github.com/program/
I've fired up an instance of GitHub Enterprise (11.10.272) and created a repository. I've written a pre-receive hook in Ruby which I'd like to use with that repository.
GitHub Enterprise, like regular GitHub, allows the configuration of service hooks. I tried to SSH into the GitHub Enterprise server to create a hook file, but I couldn't find the repo directory. Furthemore, GitHub Enterprise's terms forbid modifying the VM, so I'm not confident this is a great approach.
It seems GitHub:FI supported hooks. The current version of the FI to Enterprise migration tool does not currently support hooks according to Migrating from GitHub:FI.
I know that this is really old, but GitHub Enterprise 2.6 just came out with pre-receive hooks. More information can be learned here: https://help.github.com/enterprise/admin/guides/developer-workflow/using-pre-receive-hooks-to-enforce-policy/.
I'm fairly certain this will perfectly align with the things you are looking for. Hopefully this either helps OP, or anyone else who stumbles upon this later!
Based on my email with GitHub customer support, pre-receive hooks aren't supported for GitHub Enterprise as of May 2013.
We don't have admin access on our GHE box, so we couldn't go in and "fix" this if we wanted to.
They claim that things they do would break if you could reject commits. I assume they mean things like automatic merging of pull requests, but I'm not sure.
They have an extensive set of post-commit webhooks which you could use for post-commit functionality.
I'm looking into building a "pass-through git server" -- basically, poll the GHE API frequently to make a local clone of any repo that exists on certain GHE accounts, and then auto-clone it with custom pre-recieve and post-receive hooks. This would let us clone off the pass-through server, do our pre-receive hooks there, and push approved changes through to GHE. There doesn't seem to be any kind of standard pass-through server for git out there yet, probably because you need to know what repos to clone, which doesn't seem to have a standard git API.
GitHub Enterprise seems to store repostories in /data/repositories. Each repository has hooks generated by a template. I can modify these hooks, but that would surely break something. The template hooks seem to look for hooks in another location, but that location is defined in config and I can't find it.