I've filed an issue with INFRA, to get their view on this: https://issues.apache.org/jira/browse/INFRA-17449
zoran On Fri, Dec 14, 2018 at 7:41 PM Zoran Regvart <[email protected]> wrote: > > Hi all, > On Fri, Dec 14, 2018 at 6:45 PM Allen Wittenauer > <[email protected]> wrote: > > > On Dec 14, 2018, at 9:21 AM, Joan Touzet <[email protected]> wrote: > > > > > > Allen Wittenauer wrote: > > >> I think part of the basic problem here is that Github’s view of > > >> permissions is really awful. It is super super dumb that accounts have > > >> to have admin-level privileges for repos to use the API to do some basic > > >> things that can otherwise be gleaned by just scraping the user-facing > > >> website. If anyone from Github is here, I’d love to have a chat. ;) > > > > > Putting my thinking cap on, I wonder if the workaround here is to > > have a proxy for the REST API that forwards the ’safe’ calls but disallows > > others. Maybe one already exists? I totally get the security and > > potentially legal ramifications of having accounts that can push. But it > > sure seems like this problem is solvable with a bit of elbow grease. > > Why can't we have a global username/password for `asfgit` with > personal access token that can be used? It seems to be used for GitHub > Pull request builder, so I'm guessing that there is already a blessed > personal access token in place there with acceptable GitHub OAuth > scopes. > > zoran > -- > Zoran Regvart -- Zoran Regvart
