-
-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add flag to only access public repositories on GitHub #3566
Conversation
By the way, does Woodpecker need only write access to webhooks? Or does it need to delete them, too? |
No, woodpecker deletes them when you disable a repo, so this scope is necessary. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you update your branch or allow updates from maintainers?
Branch is up-to-date (I think allowing changes just isn't a thing I can do because the fork is owned by an org) |
Deployment of preview was successful: https://woodpecker-ci-woodpecker-pr-3566.surge.sh |
The |
This PR adds the
WOODPECKER_GITHUB_ONLY_PUBLIC
which instructs the GitHub client to only obtain clients which have permissions to operate on public repositories.We have tested these changes on our own instance and can report that at least the basic functionality works.
Someone please feel free to chime in if this breaks any other functionality of Woodpecker we weren't aware of.
Rationale: This follows the principle of least privilege. We run a public Woodpecker instance for an open-source project. We never intend to run it on anything but public repositories.
The standard permissions are rather scary though.
Read and write access to all public and private data including settings, deploy keys, code, collaboration invites, etc.
By restricting access to the following scopes:
admin:repo_hook
repo:status
user:email
read:org
we can still have all the functionality Woodpecker needs (manage webhooks, update repository statuses, etc.) without the scary settings such as invites, writing to all aspects, etc.
New authorization dialog: