Comments (8)
Adding another screenshot of the permissions we request:
from bonsai.
The permissions need to be set on the account authorizing the query to the Github endpoint.
https://developer.github.com/apps/managing-github-apps/editing-a-github-app-s-permissions/
from bonsai.
We (Sensu Inc) need to update the permission as part of the app config.
from bonsai.
The app is an Oauth app, not registered as Github app.
from bonsai.
I just saw the email announcing this to the public, however the requested permissions are still the same. Does it truly need that level of access to my repos? I am still hesitant to share anything due to this.
from bonsai.
Any updates on this? It's the one thing keeping me from sharing assets at the moment.
from bonsai.
@nixwiz - I've looked into this further, and apparently Bonsai is requesting the minimum level of permissions possible via Github's OAuth Scopes. Bonsai requires:
- Ability to read repository information, specifically releases, tags, and release assets.
- Ability to create webhooks on a repository.
- Ability to read contributors on a repository.
- Ability to "star" a repository
- Ability to access basic user details, including email addresses.
Unfortunately, Github's permission system is not very granular. In order to obtain basic repository details, as well as the ability to star a repository, we have to request the "public_repo" scope to get access to release info, contributors, and the ability to star a repository. The "public_repo" scope though, contains read and write access to many other aspects of the repositories that Bonsai does not use. See Github's docs of available scopes here: https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps
In summary, Bonsai requests the following scopes:
- public_repo - necessary to read contributors, releases, release assets, and to star a repository
- user:email - allows access to user's email address(es)
- write:repo_hook - allows write acess to repository webhooks. Bonsai adds a webhook to all registered asset repositories which notifies bonsai when a new release is created. Bonsai then automatically registers that release as a new asset version.
from bonsai.
Thanks for the response @mbiang .
from bonsai.
Related Issues (20)
- Not-a-collaborator error when adding new asset to Bonsai HOT 2
- Deprecation not working HOT 3
- Add support for requesting builds for a specific tag/release
- DISCUSS: unregistering/removing/deleting assets from Bonsai HOT 1
- Expose programming language from Github repo in Bonsai
- Collaborator check when trying to add new assets doesn't pick up team roles HOT 6
- Only show asset error messages to admins and maintainers
- shasum verification error when compiling releases for prvate repo HOT 2
- Feature Request: On-prem bonsai storage options
- Upgrade Heroku Postgres Instance
- Bug: Unauthorized access to contributors url error prevents recompile of asset. HOT 1
- Production Bug: Review sendgrid integration.
- Feature Enhancement: provide logic to replace cached auth token if it fails with active user github auth token. HOT 3
- Feature Enhancement: Create a way for super-admins to destroy an asset record and recreate. HOT 1
- Bug: saving into S3 bucket no longer working in staging.
- Bug: Github api rate limiting due to using cached token auth
- Enhancement: Change webhook logic to look for completed workflow_job
- Bug: ExceptionController.action(:show) has InvalidAuthenticationToken errors
- Bug: recompiling private repo results in seemingly hung process if your oauth scopes are wrong HOT 1
- Owner Access for Plugins Published From an Organizational Repo
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bonsai.