When I try to authorize Azure Devops to get access to my GitHub repositories it wants full access to everything, including:
This application will be able to read and write all public and private repository data. This includes the following:
Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
Collaboration invites
But that is to broad access to my taste, how can I just give it access to specific repositories without giving it access to everything?
Create a specific user that has the exact permissions you would grant, create an Access Token for that user to strip some of the requested permissions, don't use the OAuth flow.
Related
I am creating a GitHub app and, and on its permission page, in the Repositories section, I can give it a number of permissions.
The Metadata Read-Only permission is "Mandatory" and provides access to "Search repositories, list collaborators, and access repository metadata."
However, this seems to only provide access to public repos.
In https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/authorizing-github-apps, it says:
When authorized, the GitHub App will be able to programmatically read the private GitHub resources that you can access (such as private GitHub repositories) where an installation of the GitHub App is also present. The application may use this, for example, so that it can show you an appropriate list of repositories.
However in the permission list of the GitHub app, there is no such permission as "Access to Private Repositories".
In https://docs.github.com/en/rest/overview/permissions-required-for-github-apps, it is mentioned that the Metadata permission:
provides access to a collection of read-only endpoints with metadata for various resources. These endpoints do not leak sensitive private repository information.
So, my understanding is that the Metadata permission is not enough to access a user's list of private repositories.
I then went into https://github.com/settings/apps/NAME_OF_MY_APP/permissions and, in the "Repository permissions" section, found a list of possible permissions, but nothing related to "private repositories".
Currently, my app is working, and providing my code with an accessToken which seems to work, because I can take that token and run:
curl -u MY_USER:MY_TOKEN "https://api.github.com/user/repos?visibility=public"
However, even though MY_USER is known to have private repos, the following yields an empty list:
curl -u MY_USER:MY_TOKEN "https://api.github.com/user/repos?visibility=private"
(The above "curl" was taken from How to Use the GitHub API to List Repositories, Carlos Schults, 7 May 2022, FuseBit)
I need to create documentation giving instructions to generate a Personal Access Token that will only need to create Pull Requests on Github.
I've read the documentation describing the various OAuth scopes, but it is still not clear to me which OAuth scope(s) I need to select in order to be able create a Pull Request.
What OAuth scope(s) need to be selected for users to be able to create Pull Requests?
From https://docs.github.com/en/rest/reference/pulls#create-a-pull-request:
To open or update a pull request in a public repository, you must have write access to the head or the source branch. For organization-owned repositories, you must be a member of the organization that owns the repository to open or update a pull request.
The repos scope should be needed.
And, with the GitHub CLI gh v2.22.0 (Jan. 2023), you can search from within your local cloned GitHub repository:
See gh auth status --show-token: it will display the auth token you are using.
After a quick internet search I couldn't seem to find an easy way for my Azure Pipeline to write a custom comment back to the PR that triggered it. Is this possible? Does it require a PAT? I can't use any solution that requires exposing a PAT to a external PR, as they could then easily exfiltrate it.
Sure, you can add comments to the PR on GitHub from Azure pipelines. You can use the GitHub Comment task in your pipeline to easily write comments to the GitHub PR.
With this task, you also need to create a GitHub service connection, or a GitHub Enterprise Server service connection if your repository is hosted on GitHub Enterprise Server, for use on the task.
When creating the GitHub (or GitHub Enterprise Server) service connection, you can choose an authorization method from the optional.
GitHub service connection -- Grant authorization or Personal Access Token
GitHub Enterprise Server service connection -- Personal Access Token, Username and Password or OAuth2
So, a GitHub PAT is not required if the authorization method you choose is not Personal Access Token.
[UPDATE]
If you are worrying about that the service connection would be abused by someone to attack your source code repository, you can do the following things:
On GitHub, you can create a PAT, and limit the permission scopes of this PAT. More details, see "Creating a personal access token".
On Azure DevOps, you can choose Personal Access Token as the authorization method on the service connection, and fill with the PAT that you created in above step. Then you can limit which users, teams and groups, even which pipelines, can use the service connection in the project. More details, you can see "Secure a service connection".
"I want to create a service connection using AzureDevOps with which we get access to only one particular repository. But when I Create service connection it will give access to all repositories present in one account"
I already tried creating a personal access token using Github. But GitHub doesn't allow to create public access token with limited repository access.
How can I generate a personal access token with limited repository access ??
When you create a new GitHub service connection, you can choose Personal Access Token like below.
Then visit https://github.com/settings/tokens to create personal access tokens and you can choose your expected scope.
In this time, I choose the public_repo scope, create the token, copy the token to Azure DevOps and create the new GitHub connection.
As you can see, there are five repositories in my GitHub, one is private and four are public.
Then in the build pipeline source, I just get the four public repositories and don’t get the private repository.
Is it possible to create a token for read-only access to a single repository within VisualStudio.com Team Services?
I see I can use a Personal Access Token to limit access to a Team Services Server, but it appears to be for the entire server rather than a single repository.
Surely, there must be a way to do this.
There isn’t the Token for a Single Repository level, but Personal Access Token permission is based on the user who created.
So, you can refer to these steps below to generate a personal access token for your requirement:
Add an additional user to your VSTS instance
Logon your VSTS with that account and create a Personal Access Token.
Logon your VSTS with your own account and remove some permissions for that account (e.g. just grant necessary permission for a repository)
After that, this Personal Access Token can just access a Single Repository