-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use bot token to create org hook #24
base: master
Are you sure you want to change the base?
Conversation
9144403
to
c527985
Compare
Signed-off-by: sebastien.heurtematte <sebastien.heurtematte@eclipse-foundation.org>
c527985
to
f87c87d
Compare
From a security standpoint, this is a good idea, but it will require a lot of manual effort to add the Unless there is an easier way to deal with bot token creation, it's going to be a -1 from me. |
Not necessary only apply to new bot creation.
I don't see any relation with this specific permission, it affects token in general. I really want to avoid this code: https://github.com/eclipse-cbi/ci-admin/pull/24/files#diff-8cec566c9498b286ab6c717c83aa85b4a580f137fdaa032ae26cb799fd7f76cfL20 Storing an eclipsewebmaster token in cbi local pass. |
How do we set org level webhooks with existing bot token?
Yes, it affects token in general. So far, we don't rely on them though. So we can still set org level webhooks, even if a bot token expired. |
looking at the code and IIRC, this is already set on old token by using the eclipsewebmaster token. |
Old bot tokens only have |
@@ -47,13 +50,16 @@ org() { | |||
exit 1 | |||
fi | |||
|
|||
local pw_store_path="bots/${project_name}/${GITHUB_PASS_DOMAIN}" | |||
local bot_token=$(passw cbi "${pw_store_path}/api-token") | |||
|
|||
echo "Creating organization webhook..." | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could add a check if the token has the appropriate scope:
has_scope="$(curl -sS -f -I -H "Authorization: token ..." https://api.github.com | grep "^x-oauth-scopes" | grep "admin:org_hook" | wc -l)"
if [ ${has_scope} != "1" ] then
# use webmaster token
fi
and if the token has the scope, use it, otherwise fallback to the webmaster token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good. @heurtematte can you add Thomas' suggestion?
Stop relying on eclipse webmaster token to create orgs hook but on bot token permission.
This means adding a new permission to bot token:
admin:org_hook