I want to use Google Container Builder to build a container from github. I follow the directions from here. When I connect to github, it gives me a long list of the repo's I can use. It includes repos in my account and in organizations where I have owner rights. It omits one particular organization, even though I have owner rights on those repos, too.
I tried listing the repo's with this command:
curl --silent -u rscohn2:xxx https://api.github.com/user/repos?per_page=100\&page=1 | grep full_name
and again for page=2. This listing matches the list that GCP presents, except it also include the missing repo's. I get the same list from github when I use Source Repositories. I tried logging out of github so it logs in again. I cannot see what is special about the missing repo's to make GCP omit them. Any suggestions?
Related
I am creating a GitHub app and, and on its permission page, in the Repositories section, I can give it a number of permissions.
The Metadata Read-Only permission is "Mandatory" and provides access to "Search repositories, list collaborators, and access repository metadata."
However, this seems to only provide access to public repos.
In https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/authorizing-github-apps, it says:
When authorized, the GitHub App will be able to programmatically read the private GitHub resources that you can access (such as private GitHub repositories) where an installation of the GitHub App is also present. The application may use this, for example, so that it can show you an appropriate list of repositories.
However in the permission list of the GitHub app, there is no such permission as "Access to Private Repositories".
In https://docs.github.com/en/rest/overview/permissions-required-for-github-apps, it is mentioned that the Metadata permission:
provides access to a collection of read-only endpoints with metadata for various resources. These endpoints do not leak sensitive private repository information.
So, my understanding is that the Metadata permission is not enough to access a user's list of private repositories.
I then went into https://github.com/settings/apps/NAME_OF_MY_APP/permissions and, in the "Repository permissions" section, found a list of possible permissions, but nothing related to "private repositories".
Currently, my app is working, and providing my code with an accessToken which seems to work, because I can take that token and run:
curl -u MY_USER:MY_TOKEN "https://api.github.com/user/repos?visibility=public"
However, even though MY_USER is known to have private repos, the following yields an empty list:
curl -u MY_USER:MY_TOKEN "https://api.github.com/user/repos?visibility=private"
(The above "curl" was taken from How to Use the GitHub API to List Repositories, Carlos Schults, 7 May 2022, FuseBit)
I am trying to add users to a private Github repo within an organisation. Starting from this post, I've simply changed the API endpoint to cope with organizations (as explained here), and I end up with the following command:
gh api orgs/MY_ORG/repos/MY_USER_NAME/MY_REPO/collaborators/COLLABORATOR_USER_NAME -f '{"permission":"maintain"}';
This command systematically returns a 404 error (note that I also get a 404 when I just try to check if a user has access to a repo, i.e. the GET version of the above command).
I also need to mention that this doesn't seem to be a trivial gh auth login issue since a command like gh repo create MY_ORG/MY_REPO works fine.
Here is also some technical details:
os: macosx 10.15.16
git: 2.24.3
gh: 1.1.0
I take the initiative to answer my own question here since after some investigations (thanks to mislav for his help) and trials and errors, I ve found the proper way to add collaborators to a GitHub repo within an organization with the CLI. I think it is worth posting it, hopefully this will help others.
Invite an outside collaborator to a repo within an organization
gh api -X PUT repos/:org/:repo/collaborators/:username -f permission=:perm
the -X PUT specifies that the request is a PUT and not a GET (default request). The repo's identifier is specified by :org/:repo (note that if the repo is not under an organization, the identifier will be :owner/:repo). The :perm argument indicates the type of access, the default value is push (see here)
So assume I want to provide admin access to jonsnow to the repo winterfell under the organization got, I will use the following command
gh api -X PUT repos/got/winterfell/collaborators/jonsnow -f permission=admin
Note that if you send an invite for the repo directly, the user will appear as an outside collaborator (not as an organization member)
Add a member to the organization and invite him to a repo
You just need to include the user as a member to the organisation beforehand with
gh api -X PUT /orgs/:org/memberships/:username -f role=:role
and then you can provide him access to a specific repo with the same command as above, i.e.
gh api -X PUT repos/:org/:repo/collaborators/:username -f permission=:perm
Note that the value for the various :role can be found here
You can set organization membership for a user
put /orgs/{org}/memberships/{username}
You can add a collaborator to a repo
put /repos/{owner}/{repo}/collaborators/{username}
But I don't think you can combine the two (add a collaborator to an org repo)
That is because that collaborator need to be a member of the organisation first (so receive and accept the invitation), before being added to a repository.
Usually one must click link "Invite teams or people" after accessing "https://github.com///settings/access" in a web browser.
But, I wish to do this through a command line interface, because I must invite
many persons. Is it possible?
You could use the GitHub API in order to add a collaborator
PUT /repos/:owner/:repo/collaborators/:username
See for instance here:
curl -H "Authorization: token YOUR_TOKEN" "https://api.github.com/repos/YOUR_USER_NAME/YOUR_REPO/collaborators/COLLABORATOR_USER_NAME" -X PUT -d '{"permission":"admin"}'
With permission level being one of:
pull - can pull, but not push to or administer this repository.
push - can pull and push, but not administer this repository.
admin - can pull, push and administer this repository.
maintain - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
triage - Recommended for contributors who need to proactively manage issues and pull requests without write access.
(default is "push")
Update Sept. 2020, considering GitHub CLI gh is now 1.0, it could be a good feature to add (a kind of gh repo invite)
In the meantime, you can use gh pi to make a similar API call, automatically authenticated, with -f to add POST fields.
gh api repos/YOUR_USER_NAME/YOUR_REPO/collaborators/COLLABORATOR_USER_NAME" -f '{"permission":"admin"}'
An alternative using hub:
1- Check all users with permissions in your repo:
hub api --flat 'repos/YOUR_USER_OR_ORGANIZATION_NAME/YOUR_REPO/collaborators' | grep -E 'login|permissions'
2- Give permission to an user :
hub api 'repos/YOUR_USER_OR_ORGANIZATION_NAME/YOUR_REPO/collaborators/COLLABORATOR_USER_NAME' -H X:PUT -H d:'{"permission":"admin"}'
You can use the github cli or call the github api directly through curl. In this example I add a member to a company repo using the github cli:
gh api "orgs/$target_repo/teams/$team/repos/$target_repo/$repo_new_name" -X PUT -f permission=admin
Also see the docs: https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions
For your situation you can use this endpoint:
https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator
This one is rather complicated to describe. I have two github accounts, I will refer to them as github A and B.
I had created a local repo X and tried to connect it to a new remote repo I created on github account A. However, my default github login credetials were set for my github account B. I went through this tutorial and was able to add a second key created in my .ssh to allow me access to acct. A at will. This method worked and allowed me to add the new remote repo on github account A to my local repo X. I could then push origin to master just fine.
I then made a clone of the same repo X on github account A and placed it in a new local location (same drive, different folder) which I will refer to as local repo Y. I then tried to push changes to the same remote repo on github A and it denies me saying I'm trying to access using my username for my remote github B account.
I tried re-adding the remote url via the same special .ssh key previously created for repo X and use it for the local repo Y but it says it already exists.
I'm looking for a simple solution here, hopefully one exists. I would appreciate your help on this.
You can test what actual key is used with:
ssh -Tv <yourSSHConfigEntry>
Make sure to use an ssh URL like yourSSHConfigEntry:/ (no need to prefix it with git#: the User should be in your ~/.ssh/config file)
The idea is: your SSH config file should use the right private key, whose public key has been registered to the right GitHub account.
Check the remote URL: git remote -v. If it starts with git#github.com, it won't use the ssh config entry.
Type:
git remote set-url origin <my-github-acct-A>:<user>/<repo>
That will use the SSH config entry, and make sure the User in it is "git".
I'm pretty sure the issues you're running into are a result of managing multiple accounts on the same computer, regardless of the repos being duplicates.
If you haven't already, I'd suggest you take a look at the very detailed answers provided here.
I have been through this trouble many times and have resolved it by setting the ssh config rules or by enforcing the ssh-agent to have the correct ssh key alone.
I have documented the entire process and Freecodecamp published the article.
Here's the link! Hope this will help whenever you come across this use case. :)
I have followed the process described in Multiple GitHub Accounts & SSH Config (stefano's answer) and have set up SSH access to multiple repositories using deploy keys. I've tried that on repositories of a specific GitHub organization and it works fine - I can pull and push changes. I've also tried this on my user area and it still works great.
However, when trying this on repositories in another GitHub organization (e.g. when doing a git push) it fails with the following error
ERROR: Permission to XXXX/YYYY.git denied to deploy key
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
When checking SSH access through ssh -T I get
"Hi XXX/YYYY! You've successfully authenticated, but GitHub does not provide shell access."
which suggests that SSH should be working.
I have gone through the organization settings (main page for GitHub organization > Settings) and they have pretty much identical settings, except from what you would expect to be different e.g. contact email etc.
I was wondering if anyone has any ideas about what could be causing this. Are there any more organization settings somewhere by any chance?
ERROR: Permission to XXXX/YYYY.git denied to deploy key
This looks like you are trying to push using a deploy key. This key is used for deployment and therefore only to read-only access of your repository. Make sure you have the key which is enrolled in your github account, make sure it is used (IdentityFile in ~/.ssh/config) and get rid of the deploy key from the standard location which is picked by default (~/.ssh/id_{rsa,dsa,ecdsa,ed25519}). Note, that if there are more "valid" keys, only the firs succeeds.