Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Access Token Scopes #13

Closed
mlclmj opened this issue Jan 15, 2020 · 6 comments
Closed

GitHub Access Token Scopes #13

mlclmj opened this issue Jan 15, 2020 · 6 comments

Comments

@mlclmj
Copy link
Contributor

mlclmj commented Jan 15, 2020

Hi 👋

Thanks so much for writing and maintaining this awesome plugin!

I wanted to open a quick issue about the access token scopes that are required for this to work, namely it seems that the token actually needs full access to private repos, instead of just access to commit statuses in order to work. Is that something that others have seen?

Thanks!
@jimsheldon
Copy link

Sorry for the delay on responding. The goal is certainly to keep the scope as small as possible, we will investigate and get back to you.

@jimsheldon
Copy link

Our expectation was that setting a scope of repo:status would be enough to call these two functions

https://github.com/google/go-github/blob/master/github/git_commits.go#L74
https://github.com/google/go-github/blob/master/github/repos_commits.go#L226

I tested and repo:status was not enough, I had to set all of repo.

Reading https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/ it seems repo:status would be plenty:

Grants read/write access to public and private repository commit statuses. This scope is only necessary to grant other users or services access to private repository commit statuses without granting access to the code.

At the very least we need to change the README to specify repo rather than repo:status, but I will keep investigating just in case.

@bradrydzewski
Copy link

@jimsheldon I can confirm that the repo scope is required to access a private repository or any of its files. Unfortunately github does not provide anything more fine-grained for oauth access.

We could consider sending the user token from Drone to this extension in the payload. It would have to be opt-in since everyone might not be comfortable with the token leaving the Drone server. It doesn't solve the scope problem (Drone has the same scope) but it would be one less token to manage.

@jimsheldon
Copy link

From our discussions with github support it seems there is no way around this unfortunately.

I will close this for now.

@cognifloyd cognifloyd mentioned this issue Sep 3, 2021
Open
@tonglil
Copy link
Contributor

tonglil commented Aug 4, 2022

FWIW, the go library seems to have added a way to pass the credential to the extension: drone/drone-go@f9e4fe3

I tested this with a sample extension and the access token seems to be present:

{Access:gho_y6........... Refresh:}

@wez
Copy link

wez commented Sep 18, 2023

are there plans to make use of the token being passed through as mentioned by @tonglil in the comment above? Should this issue be re-opened?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wez @bradrydzewski @jimsheldon @tonglil @mlclmj