I have a Github App set up using their v3 API. I am successfully authenticating and I can create and modify repositories. I'm trying to also attach a deploy key to a newly created repository. However, I'm getting 403: Resource not accessible by integration -- this is regardless of whether I try to read or write the keys. The app is installed on the organization, and the repository is also owned by that same org.
The api documentation gives routes for managing deploy keys: https://developer.github.com/v3/repos/keys/#add-a-new-deploy-key
But the permissions list doesn't mention deploy keys at all: https://developer.github.com/v3/apps/permissions/#permission-on-administration
I have turned on Read & Write access for Repository Administration, Repository Contents, and Repository Projects in the permissions for the app, but I'm still getting this access error.
That endpoint hasn't been enabled for GitHub Apps yet -- you can only use it with OAuth tokens currently (or Basic Auth).
I recommend requesting that this be added for GitHub Apps over on the Platform forum for Apps:
https://platform.github.community/c/integrations
That's the best place to ask questions and provide feedback about GitHub Apps (GitHub staff monitors that forum and answers questions).
I can add deploy keys with "Read and write access to administration" permission. (as of Jan 17, 2023)
Related
I found the Has Permissions API (https://learn.microsoft.com/en-us/rest/api/azure/devops/security/permissions/has-permissions?view=azure-devops-rest-6.0) and the Create Permissions Report API (https://learn.microsoft.com/en-us/rest/api/azure/devops/permissionsreport/permissions-report/create?view=azure-devops-rest-6.0), but these two do not fit the requirements.
I was wondering if there is an API that can get all the Repos under a project that a user has edit permission to?
The two API you mentioned are normally used to manger the user's global permissions that will affect in all the projects in the organization.
As far as I know, currently, we have no available API or CLI can list all the repositories in a project that an user has the edit permission or other specified permissions.
A user installed my github app for his personal account (not organization). My github app has read & write administration permissions.
When I perform the request (I use go-github sdk) I get the following error:
POST https://api.github.com/user/repos: 403 Resource not accessible by integration []
There are two different endpoints for creating repositories in organization and for user. Endpoint for creating user repos is the POST method /user/repos. When I look github official documentation on github app permissions it doesn't actually list POST method for user/repos. So it's not clear how to create user repos via github app, if possible at all.
I got a response from github support. This behaviour is expected. To create new repos under a user you have to use user-to-server token (oauth2 token). It can be acquired during installation if you enable option "Request user authorization (OAuth) during installation" in your github app. This way user not only install your github app but also will authorize your github app.
What is the difference between a GitHub App and the REST API for GitHub? Why would you need a GitHub App if you can just use the REST API, without setting any environment up?
The REST API should just be a collection of endpoints that accept a POST along with access tokens. But the GitHub App requires cloning an entire repo written in Ruby, that has nothing to do with my app.
I am not looking for users to integrate with my repo, I want them to be able to connect their own repo to the application.
But the GitHub App requires cloning an entire repo written in Ruby, that has nothing to do with my app.
I don't believe this is true.
GitHub Apps make the process of integrating 3rd party tools into your GitHub repositories smoother.
GitHub Apps are installed by organizations and granted access to specific repositories via GitHub. For example, CodeClimate is a tool which performs checks on pull requests. Rather than granting them OAuth access to my repositories, I can install the CodeClimate GitHub App on my organization and configure which repositories they have access to. I can see all the apps installed and what their permissions are.
Note that "installing" a GitHub App does not install any code. "Installing" gives the app permissions for the service to access your organization and repos. A GitHub App is a wrapper around an existing service.
If you want users to connect their repos to your application, consider a GitHub App.
This is covered in About apps.
An OAuth App acts as a GitHub user, whereas a GitHub App uses its own identity when installed on an organization or on repositories within an organization.
GitHub Apps are the officially recommended way to integrate with GitHub because they offer much more granular permissions to access data, but GitHub supports both OAuth Apps and GitHub Apps.
GitHub Apps are first-class actors within GitHub. A GitHub App acts on its own behalf, taking actions via the API directly using its own identity, which means you don't need to maintain a bot or service account as a separate user.
GitHub Apps can be installed directly on organizations and user accounts and granted access to specific repositories. They come with built-in webhooks and narrow, specific permissions. When you set up your GitHub App, you can select the repositories you want it to access. For example, you can set up an app called MyGitHub that writes issues in the octocat repository and only the octocat repository. To install a GitHub App, you must be an organization owner or have admin permissions in a repository.
GitHub Apps are applications that need to be hosted somewhere. For step-by-step instructions that cover servers and hosting, see "Building Your First GitHub App."
Differences between GitHub Apps and OAuth Apps has a complete breakdown.
We are hosting some repository on GitHub, some other on GitLab.
Sometimes, the package is published but not the source code.
We always display build status and code coverage in README.md.
Is there a way to have build and coverage badge on GitLab always accessible to anonymous?
Since release 11.4.8 of Gitlab it's not possible to expose project's Badges through a Personnal Access Token anymore. Because of the change "
Restrict Personal Access Tokens to API scope on web requests."
The commit that removed this "workaround" was published as a security fix
An ongoing issue is currently being discussed to find another solution. Let's see how it goes.
That was followed by issue 13324
It includes:
FYI, I have a workaround for this using the GitLab API.
It assumes you have created a token in GitLab for a user (Note: That "user" needn't necessarily be Human - my use case is to display a badge on a dashboard hosted on a different VM).
<img src="https://<gitlab-uri>/<namespace>/<project>/badges/<branch>/build.svg?private_token=<token>
Update Dec. 2018: This is no loger possible through a token (see Paul B.'s answer).
This is because of "Improper Enforcement of Token Scope":
The GitLab web interface was vulnerable to an authorization issue that allowed access to the web-UI as a user using their Personal Access Token (PAT) of any scope.
The issue is now mitigated in the latest release and is assigned CVE-2018-19569.
But...:
Updated: 2018-11-28: We have received reports that this change has impacted how repo files and job artifacts are downloaded for some users.
For instructions on how to do so through the API, please see our support issue.
And you also have a current workaround which repeats the API access:
It is possible to add the project avatar to the project repository with a particular filename (logo) and then this file will be used for the avatar. There is an example here:
https://gitlab.com/issue-reproduce/project-avatar-repo
You'll be able to retrieve the files through the Repository Files API:
https://docs.gitlab.com/ee/api/repository_files.html#get-file-from-repository
Example:
https://gitlab.com/api/v4/projects/issue-reproduce%2Fproject-avatar-repo/repository/files/logo.png?ref=master
So I've been reading GitHub developer docs and about webhooks they have the following statement:
Webhooks allow you to build or set up GitHub Apps which subscribe to certain events on GitHub.com. When one of those events is triggered, we'll send a HTTP POST payload to the webhook's configured URL. Webhooks can be used to update an external issue tracker, trigger CI builds, update a backup mirror, or even deploy to your production server. You're only limited by your imagination.
However, about Apps they've also got this statement:
Apps on GitHub extend and improve existing workflows. People can
purchase apps from GitHub Marketplace or browse useful tools and
services that integrate with GitHub in Works with GitHub.
If you're building or adding integrations, this documentation will
help get you up and running.
For support requests, bug reports, and discussions related to GitHub
Apps (not OAuth Apps), use the GitHub Platform Forum. The forum allows
you to collaborate with other integrators as well as engineers and
product managers from GitHub.
If your request is about OAuth Apps, or if you need to discuss a
private concern, please contact support directly.
This seems that Webhooks can only be used with GitHub Apps? The difference between GitHub Apps and GitHub OAuth Apps isn't very clear and I fail to see why an OAuth app would not be able to use Webhooks?
Edit
Can Webhooks be used with a GitHub OAuth App?
Yes.
Webhooks allow you to build or set up GitHub Apps which subscribe to certain events on GitHub.com.
This is an incorrect statement. This should be 'an integration with GitHub' rather than 'GitHub Apps'.
This seems that Webhooks can only be used with GitHub Apps?
No. GitHub Apps include implicit support for Webhooks. OAuth Applications request tokens with a scope for write:repo_hook or admin:org_hook to register a Webhook on the Repository or Organization.
There is a guide for creating webhooks that suggests to use the repo hooks or org hooks API endpoints.
The difference between GitHub Apps and GitHub OAuth Apps isn't very clear and I fail to see why an OAuth app would not be able to use Webhooks?
There is documentation that describes some differences between GitHub Apps and OAuth Apps.
TLDR advantages of GitHub Apps:
Granular Permissions
Option to use short-lived Tokens
GitHub Apps do not need to add a Webhook to a Repository or Organization
Avoids having Machine/Service Account users
Original
Webhooks allow your server/application to get notified whenever a specific event happens - regardless of whether you are using OAuth or GitHub App. Your application will then need to process an event and act accordingly.
Separately, your application will need to interact with GitHub's API to create, read, edit, or delete information. GitHub will usually require credentials to access or update specific information. Authentication to GitHub's API can use multiple methods:
None
Basic Authentication (username/password)
OAuth2 Token
Personal Access Token (PAT)
Installation Access Token
There are additional differences between legacy GitHub integrations and GitHub Apps.
Older integrations were based on Oauth2 and use a Token associated with a user's account. Integrations would interact with GitHub's API on behalf of a user - which is why some organizations would set up a machine user. Webhooks also need to be added explicitly.
GitHub Apps will interact with GitHub's API on it's own behalf. You must explicitly grant a GitHub App access to an Organization or Repository which enables both Webhook and API access.