Reduce necessary permissions on linking with github about singularityhub.github.io HOT 11 CLOSED

hey @olifte! We need write to make webhooks. Do you have other suggestions?

from singularityhub.github.io.

We need write to make webhooks.

Thanks for the quick reply, that already helps me to understand why it's needed.
Though, that does not explain why write is needed also for the "personal user data" on github instead of for the repositories only.

Maybe another solution could be to document how the webhooks need to look like, and let the more cautious users set them up themselves?

Also, if I compare e.g. with travis-ci, here is the list of permissions they requested via oauth:

• Read org and team membership
• Access commit status
• Access deployment status
• Access user email addresses (read-only)
• Write repository hooks

i.e. no full repo access, only access to write repo hooks. That would be perfectly fine with me.

from singularityhub.github.io.

Thanks @olifre ! Yes I think we can definitely be more specific about permissions asked for - I'll be sure to test this out with the next version of Shub (it will be updated right after 2.3 release)

from singularityhub.github.io.

Yes I think we can definitely be more specific about permissions asked for - I'll be sure to test this out with the next version of Shub (it will be updated right after 2.3 release)

Perfect, many thanks!
Full access to account information (including "write" for the accounts mail address - which essentially allows impersonation) is really a no-go for organizations otherwise - and it would be sad to not be able to use singularity hub just due to not-specific permissions.

Please update this issue ticket once the permissions are more fine-grained, then I will certainly link my github to singularity hub and test it out (and recommend it to my colleagues).

from singularityhub.github.io.

will do!

from singularityhub.github.io.

This issue, when fixed, will also address #7

from singularityhub.github.io.

I'd like to second the requests made in this issue - it is unsettling to give over so much access.

from singularityhub.github.io.

just to update you guys - this will definitely be the case for the next version of Singularity Hub. I completely agree on all points.

from singularityhub.github.io.

hey @olifre ! How does this level of permissions look?

The webhooks and commits do not give code access, and the account information is also read only. Would this be suitable for your group?

from singularityhub.github.io.

hey @vsoch ! This looks significantly better, I believe that's acceptable.
Just to make sure, let's ping my colleague @wiene .
Does the last permission imply that Singularity Hub also provides feedback for commits integrated in Github, i.e. "container build worked"? That's a cool feature!

from singularityhub.github.io.

The commit status part may not even be necessary, likely being able to create (and then receive a webhook is sufficient) but I'm testing that one out to see what kind of cool stuff could be possible :)

from singularityhub.github.io.