I'm confused about github machine users. I want to add an ssh key with read only rights to my repo to use for automation and have it tied to my repository/organization. But it seems like I need to create an actual github user that is not scoped to anything. I'm referring to where you add a collaborator by "Search by username, full name or email address". This seems like a poor match for what I'm trying to do. Is there a way to create a machine user that can be managed by the organization without creating a github user?
It's a sine qua non that an ssh key is associated with a user, so you must create a user. See https://developer.github.com/v3/guides/managing-deploy-keys/#machine-users
GitHub says it's "totally cool" to create a single machine user for automation.
Related
I asked this question on the github community support forum, but I'll ask this here too since no reply there...
I am trying to setup a Github App to give some scripts limited Admin rights to some repos in an Organisation. The Organisation is (I believe) under an Enterprise account - we are using this currently instead of having an Enterprise server. I have created the App, transferred it to the Organisation, and one of the Organisation Admins (which I an not) has set me as the manager. So far so good. However, although I can see the App in the Organisation Settings, there is no “Install App” button. Also trying to use it in scripting gives 401 (A JSON web token could not be decoded) errors trying to get hold of a “PAT” for the app - even though the Admin has installed it into the app.
There is obviously something wrong but I’m at a loss. Does anybody know of some extra logs that can be looked at or have a suggestion on how to approach this. We’ve tried deleting the app and retrying - no different. I should say this is the third app I’ve created for transferring into the organisation this way - so far it has just worked.
We raised a support ticket on this so got a formal answer. I thought it might be useful to replicate the key part of the answer here. Essentially the issue is the fact this App has Admin rights. I am an Administrator on some of the repos, and am "App Manager" for this App, but I am not an Owner of the Organisation.
I quote:
"""GitHub App permission requests [control] access to a number of organization REST API endpoints... As these endpoints are outside the individual repository scope, only the organization owner can approve requests to add or change them. If this wasn't the case, App Managers who aren't organization owners would be able to grant an application the ability to view organization members and teams - which is private organization information that can otherwise only be granted by organization owners via inviting new organization members."""
Basically that is it. The original idea was to allow a central place to set some things that only an Administrator could set in a repo - c.f. branch rules. Seems that this can't be done as is with an App - the system just isn't flexible enough.
The alternative, which I know works, is to use the PAT of a user with Admin rights. That just feels less secure.
I want to know if there is a way to give access to a private repository to people who don't have a GitHub account. Like a link, app or integrating the GH account to some platform like Teams or Slack. The people I intend to share code with share a Microsoft Teams team with me and a corporation mail name#comapny.com. Secure an official suggestions only please.
If your goal is to give them access to clone a repository but not otherwise interact with it, then you can use read-only deploy keys to allow them to clone and fetch the repository via SSH.
Otherwise, if you need more access, then each user will need to have their own GitHub account. It's intentional that users need their own accounts to properly enforce access controls and 2FA policies and to permit users to block and report bad actors. GitHub does not permit accounts to be shared.
I have to think of a way to create an approval process on Bitbucket for repositories.
Before creating a repository, co-worker submits a ticket to get approval from manager to be able to get the "go-ahead create repository" or denied. Is this possible to do?
My manager notified it could be similar to submitting a ticket on Sharepoint.
I have not found any ways by trail and error or from using resources, so I am reaching out to see if anyone else had to do something similar.
Are you using Bitbucket Cloud or Bitbucket Server?
In either case, I don't believe there's a way to provide conditional, temporary permission to create a single repository of a specific name or team/project.
What I would do in your situation is to set up some kind of bot account (whether using a dedicated account, or a selected individual's account in combination with an app password/personal token) that could be triggered by your approval process and would create a specified repo and grant permissions to it to a specified user. Depending on the tools you're using it's a pretty open ended solution space, but the API calls for Bitbucket Cloud and/or Server should be reasonably straight forward to achieve this, so it's just matter of figuring out how you would trigger and run such an automation.
I'm part of a GitHub organization developing a FOSS project. I'd like to run CI tests on Windows using AppVeyor. Currently I see my own fork of the project, and some other forks from people who have named me collaborator in GitHub. I don't see the upstream of the project, though. Apparently me being an administrator of the GitHub organization isn't enough to offer access to it in AppVeyor. But probably setting this up under my account would be the wrong approach anyway. Probably this should be under the name of the organization.
Towards that end, I'd like to have an AppVeyor account for this organization, with suitable permissions for its members. Reading http://www.appveyor.com/docs/team-setup it sounds as if AppVeyor could distinguish between users (with unique email and password) and accounts (to which projects belong), and a single user apparently can belong to multiple accounts while one account can have multiple users with different roles. In that sense, I'd like to create a new account without creating a user for it. Instead I as an existing user, identified by GitHub login, would like to become the first administrator of this new account, and ready to change settings and add more users. How do I do this?
You can't create a new account without a user. Just use some your email/password to create an account, then add existing user as collaborator.
I have an account setup exactly the way I'd like a number of individuals accounts setup and I'd like to create them as clones of this account so the get the initial set of permissions without me having to manually set all the permission on each account.
Note: It is fine (ideal?) if once the accounts are created that they no longer have a relationship with the original account. For instance, if User A is the base account that is being used to create all the other accounts, once User B is made from User A then all further changes on User A will not be reflected on User B.
Any ideas?
In answer to your question: no, there is no clone/copy user feature in the User Editor in Sitecore.
It sounds like you would be better off creating a role with all these permissions, then assigning this role to any new users you create. You could then modify the permissions of the individual users as necessary.
Note this would not be the ideal solution as it's always better to apply security to roles rather than individual users.
Perhaps you could achieve what you need by creating a collection of roles and assigning different combinations of them to each user?
Try installing this Sitecore Module.This will clone the user in User Manager
SITECORE USER CLONE
Sitecore User Clone is used to create the copy of the user with the same roles, name, email, and profile. It will prompt to accept the new username, password and all the editable fields same like Edit user.