reduce scope of GitHub permissions required #22

New Issue

zramsay · 2024-10-30T13:27:03Z

zramsay commented

2024-10-30 13:27:03 +00:00

the GitHub client should only request read permissions from public / private repos

ashwin was assigned by zramsay

2024-10-31 14:40:44 +00:00

zramsay commented

2024-10-31 14:42:48 +00:00

the GitHub client also shows private repos of the org being used for the app

nabarun referenced this issue

2024-11-04 08:12:52 +00:00

Upgrade WalletConnect version to `2.16.1` #27

nabarun referenced this issue from a commit

2024-11-04 08:59:23 +00:00

Upgrade WalletConnect version to `2.16.1` (#27)

nabarun commented

2024-11-04 11:00:31 +00:00

Scope of GitHub permissions has been set to public_repo and user
https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes

user scope is required to list orgs user is a part of and create repos in selected org

The staging branch has been rebased onto main and now includes the above change
App has been redeployed https://deploy.apps.vaasl.io

NOTE: The oauth app (Deploy App owned by laconic-templates) needs to be revoked to see changes in permissions on connecting GitHub again
https://github.com/settings/applications

Scope of GitHub permissions has been set to `public_repo` and `user` <https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes> `user` scope is required to list orgs user is a part of and create repos in selected org The `staging` branch has been rebased onto `main` and now includes the above change App has been redeployed https://deploy.apps.vaasl.io NOTE: The oauth app (`Deploy App` owned by `laconic-templates`) needs to be revoked to see changes in permissions on connecting GitHub again <https://github.com/settings/applications> ![image](/attachments/a1bcb570-6f6f-4172-a840-5c919c9ad639)

image.png

200 KiB

zramsay commented

2024-11-04 23:01:38 +00:00

confirming private repos don't show up anymore, however, This application will be able to read and write all public repository data. The app shouldn't have to to require perms to write to repos.

confirming private repos don't show up anymore, however, `This application will be able to read and write all public repository data`. The app shouldn't have to to require perms to write to repos.

zramsay commented

2024-11-04 23:08:43 +00:00

Write perms to create a new repo is 👍
Write perms to write to existing/new repo is 👎

Write perms to create a new repo is 👍 Write perms to write to existing/new repo is 👎

nabarun commented

2024-11-05 07:00:01 +00:00

Write perms to create a new repo is 👍
Write perms to write to existing/new repo is 👎

According to the available GitHub OAuth scopes, there is no scope that allows for creating a new repository without also granting write access to existing or newly created repositories
https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes

Currently, the public_repo scope is used, which includes read/write access to code, commit statuses, repository projects, collaborators, and deployment statuses for public repositories and organizations

> Write perms to create a new repo is 👍 > Write perms to write to existing/new repo is 👎 According to the available GitHub OAuth scopes, there is no scope that allows for creating a new repository without also granting write access to existing or newly created repositories <https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes> Currently, the `public_repo` scope is used, which includes read/write access to code, commit statuses, repository projects, collaborators, and deployment statuses for public repositories and organizations ![image](/attachments/79c0e2c2-c7fb-4620-8bee-d57242c4710c)

image.png

165 KiB

zramsay commented

2024-11-05 12:04:47 +00:00

oof. here's to hoping gitea has finer grained perms...

Sign in to join this conversation.