You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@yetus.apache.org by "Allen Wittenauer (Jira)" <ji...@apache.org> on 2020/09/30 06:34:00 UTC
[jira] [Commented] (YETUS-1011) Workaround GitHub's token scopes
[ https://issues.apache.org/jira/browse/YETUS-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17204485#comment-17204485 ]
Allen Wittenauer commented on YETUS-1011:
-----------------------------------------
Some notes:
https://api.github.com/user will return scopes for PATs under X-OAuth-Scopes, but return 403 on GitHub Actions.
GitHub Actions will need to be hard-coded based upon this table: https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token
Determining forked vs. non-forked is likely to be _extremely_ painful. :(
I don't know yet what GitHub App's temporary tokens look like, but suspect they are more like GitHub Action's tokens.
All this work just to write repo:statuses . :(
> Workaround GitHub's token scopes
> ---------------------------------
>
> Key: YETUS-1011
> URL: https://issues.apache.org/jira/browse/YETUS-1011
> Project: Yetus
> Issue Type: Improvement
> Components: Precommit
> Reporter: Allen Wittenauer
> Assignee: Allen Wittenauer
> Priority: Major
> Fix For: 0.13.0
>
>
> GitHub's token scopes have all sorts of problems. Most people are better off using a custom PAT (despite all the security issues...), but that won't help us under GitHub Actions where the scopes change between forked and non-forked. Worse, there doesn't appear to be a single API that can be used to determine what is possible.
> So rather than throw errors, do all the painful work to figure a) what kind of token was passed and b) what functionality can be enabled.
> Note: I've got a support ticket in with GitHub on this one.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)