[
https://issues.apache.org/jira/browse/YETUS-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17204485#comment-17204485
]
Allen Wittenauer edited comment on YETUS-1011 at 9/30/20, 6:38 AM:
-------------------------------------------------------------------
Some notes:
My quick look through the API seems to indicate there is zero way to ask GitHub
what kind of token test-patch was given. The one that looks promising
(/authorization) is slated to go away....
https://api.github.com/user will return scopes for PATs under X-OAuth-Scopes,
but return 403 on GitHub Actions and likely other token types.
GitHub Actions will need to be hard-coded based upon this table:
https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token
. If it changes, TFB.... will have to wait until the next release and/or
stuff breaks horribly.
Determining forked vs. non-forked is likely to be _extremely_ painful given how
much initial context test-patch has at runtime. :( Expect several API calls.
I don't know yet what GitHub App's temporary tokens look like, but suspect they
are more like GitHub Action's tokens.
All this work just to write repo:statuses . :(
was (Author: aw):
Some notes:
https://api.github.com/user will return scopes for PATs under X-OAuth-Scopes,
but return 403 on GitHub Actions.
GitHub Actions will need to be hard-coded based upon this table:
https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token
Determining forked vs. non-forked is likely to be _extremely_ painful. :(
I don't know yet what GitHub App's temporary tokens look like, but suspect they
are more like GitHub Action's tokens.
All this work just to write repo:statuses . :(
> Workaround GitHub's token scopes
> ---------------------------------
>
> Key: YETUS-1011
> URL: https://issues.apache.org/jira/browse/YETUS-1011
> Project: Yetus
> Issue Type: Improvement
> Components: Precommit
> Reporter: Allen Wittenauer
> Assignee: Allen Wittenauer
> Priority: Major
> Fix For: 0.13.0
>
>
> GitHub's token scopes have all sorts of problems. Most people are better off
> using a custom PAT (despite all the security issues...), but that won't help
> us under GitHub Actions where the scopes change between forked and
> non-forked. Worse, there doesn't appear to be a single API that can be used
> to determine what is possible.
> So rather than throw errors, do all the painful work to figure a) what kind
> of token was passed and b) what functionality can be enabled.
> Note: I've got a support ticket in with GitHub on this one.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
