Security around Workflow CPS Global Lib git repository - jenkins-workflow

What security, if any, is available for the CPS Global Lib git repo? Is this fully read/writable by anyone who has added their SSH public key? Or is there a way to limit access to this repository?

You must have the Overall/RunScripts permission in order to push to it. See also JENKINS-26538.

Related

Copy all repos of an organisation to another account

I'm part of an organisation on github and would like to copy all the repos of that organisation to another regular github account at once.
I thought there would be a tool to help me to do this easily but haven't found one yet. What would be the easiest way to approach this? Thank you
I have tried looking into gh but I'm not sure it's the right tool for it. All I'm trying to do is basically cloning all the repos of the organisation I am a part of to another github account in one go
I have tried looking into gh but I'm not sure it's the right tool for it.
Considering there does not seem to be a native feature allowing for a bulk copy you want, gh is actually a good option.
Depending on the fork policy of your organization and the nature of said repositories (public or private), you should be able to write a script, using the GitHub CLI gh, which would:
list the repositories of an organization (gh repo list)
fork it (gh repo fork)
Note that will not copy issues or pull-requests.

GitHub - How to clone repository on a shared server without giving access too all my repos

My question is the same as Github add SSH key from others will grant access to all repos?, except my use case is that I am working on a shared server with other contributors. We all need access to a certain repository on this server. However, since GitHub requires SSH now, how can I clone and use the repository without adding my SSH key to the server and allowing everyone else access to all of my personal repositories?
I have already added my teammates as contributors in the repo we want to clone; it would be nice if we could each individually use our username and passwords to interface with the repo (like the old HTTPS method of cloning git repositories) without having to share our private keys with each other. If there is an option to only allow SSH access to a specific repo, that would be nice as well.
The only workaround I can think of right now is to create a dummy GitHub account with the sole purpose of accessing this repo, and registering our SSH key with that GitHub account. But this seems very contrived and I'm wondering if there is a better solution to this problem.
A dummy github account with only the right permissions to access the one repo is what GitHub calls a Machine Account and is the recommended way to provide access under scenarios like these.
Alternatively, you could use a deploy token, those are bound to a single repo by default.

Github Pro: How to give read only access to a private repository?

We have a Github pro account and have a Github repository for which we want to give read-only access to a few people. They should be able to get the code with this access but shouldn't be to modify this repository in any way.
Is this possible?
If your goal is to allow them to clone the repository but still modify it on their own system, you can do this by either assigning them as collaborators on the repository with the read privilege under Settings → Manage Access.
If your goal is to prevent them from modifying the repository even on their own systems once it's cloned, then that isn't possible.

github limited access to project folders

I have a github repository with few folders in it. What I would like to achieve is that I want to provide access to shared users to only particular folders. How can I achieve this?
I think using a Git submodule might give you what you want here. Submodules behave like repositories which effectively live inside of another repository. You could place the shared code into a submodule and then only grant permission to this section of the parent repo for shared users. Your shared users would not have permission to the outer parent repo.
Have a look here for more information: Does GitHub have built-in support for submodules?

Git: Access Control? How to do in practice

how would one protect a GIT repository of a complete (java) application from having a developer getting access to all the source code in the repository. I know GIT is a distributed Versioning Control where a developer normally "downloads/fetches" the complete(!) repository.
My Questions:
How to sperate "modules/autonomous parts" in git? For example havng a module "payment layer" and "database layer" and "processing layer" and so forth all abstracted via APIs/Interfaces. Do i have to setup a seperate git repository for all those modules?
Is there a way to have one large repository in GIT but to somehow restrict the access by path? (A client should only recive those files he was granted access to)
Is there a way to have one large repository in GIT but to somehow restrict the access by Branch/Tags? (A client should only recive those files he was granted access to)
Just in Case someone knows this too: Is there a way in eclipse to chekout content from multiple GIT repositories into one project and also (the other way round) commit code within in one eclipse project to multiple different GIT repositories (based on package names/paths or in the context menu)?
Thank you very much
Markus!
You will have to split up the code into multiple git repositories if you want differential control. You cannot control by branches or whatever. Git downloads the entire repo. Period.
You can look into git modules for a mechanism for making it easier to work with a thing built of multiple git repositories.
1) and 4) depends a lot of your build evironment. In git you try to have separate repositories per modules, but if the setup of the source tree becomes painful you can use git submodules (though not much people like them) or the repo tool the Android project uses. This allows you to have an "umbrella" project composed of more subprojects. Not sure if it is worth it for just a few components. Just one git repo may still make more sense.
For questions 2) and 3):
For access, I would recommend that every sub-team keeps its own fork (repository) and somebody reviews what they push to the integration repository. If you don like this approach, you can use git server hooks to enforce policies writing scripts.
In this case, the hook could check who is pushing, and the path or refspec (branch) against some config file describing the policy. This is documented here:
https://git-scm.com/book/en/v2/Customizing-Git-An-Example-Git-Enforced-Policy
1). Look at Git submodules http://linux.die.net/man/1/git-submodule
2,3). Look at Gitolite https://github.com/sitaramc/gitolite/blob/pu/doc/gitolite.conf.mkd
4). I don't think any eclipse-git plugins allows that. However, you can use an external/command-line client to achieve what you want.