[JIRA] (JENKINS-37608) Configurability of GitHub Branch Source to use Scan User with only Read permission
Title: Message Title Jesse Glick commented on JENKINS-37608 Re: Configurability of GitHub Branch Source to use Scan User with only Read permission Would rather fix this right. Currently stephenconnolly is doing some work on the plugin, though not in this area. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-37608) Configurability of GitHub Branch Source to use Scan User with only Read permission
Title: Message Title Brian Saville commented on JENKINS-37608 Re: Configurability of GitHub Branch Source to use Scan User with only Read permission In our case, we are using GitHub enterprise and we automatically trust all PRs. While what you are proposing makes a lot of sense for github.com, it doesn't make as much sense for Enterprise GH. If we could add some configuration to just disable the check, that would be great. Right now I'm pulling the source, override the isTrusted method to return true, and building a custom version of the plugin since it is unacceptable for our users right now to add our API user with write permissions to their org. I feel that this is really a bug in GitHub's API, but to work around it, I'm happy to submit a PR that adds something so you can configure if you want to trust all explicitly without checking collaborators and requiring write access. What do you think Jesse Glick? Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-37608) Configurability of GitHub Branch Source to use Scan User with only Read permission
Title: Message Title Jesse Glick commented on JENKINS-37608 Re: Configurability of GitHub Branch Source to use Scan User with only Read permission Probably the plugin needs to be reworked to use this new API. Requires study. CC James Dumay. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-37608) Configurability of GitHub Branch Source to use Scan User with only Read permission
Title: Message Title Jesse Glick commented on JENKINS-37608 Re: Configurability of GitHub Branch Source to use Scan User with only Read permission So this would be quite problematic. If the user associated with the scan access token has no permissions to check whether other users would be able to push to repositories, then to be on the safe side it would need to assume that all users are untrusted, which would prevent any forked pull request from modifying Jenkinsfile, even if it is coming from an authorized user. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-37608) Configurability of GitHub Branch Source to use Scan User with only Read permission
Title: Message Title Jesse Glick commented on JENKINS-37608 Re: Configurability of GitHub Branch Source to use Scan User with only Read permission Status notifications is a separate permission, repo:status. You should not need write access AFAIK. Checking for trusted PRs is another matter. As noted in JENKINS-36240, the current implementation is just a heuristic, since GitHub offers no official API for this. But whatever it offers, it is unlikely to work with permissions lower than organizational administrator. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-37608) Configurability of GitHub Branch Source to use Scan User with only Read permission
Title: Message Title Allan BURDAJEWICZ commented on JENKINS-37608 Re: Configurability of GitHub Branch Source to use Scan User with only Read permission I believe this would require the following: Ability to configure/control whether the status should be automatically updated or no. Ability to configure/control whether non trusted PR should be accepted or no. Add Comment This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-37608) Configurability of GitHub Branch Source to use Scan User with only Read permission
Title: Message Title Allan BURDAJEWICZ created an issue Jenkins / JENKINS-37608 Configurability of GitHub Branch Source to use Scan User with only Read permission Issue Type: New Feature Assignee: Unassigned Components: github-branch-source-plugin Created: 2016/Aug/23 4:46 AM Environment: github-branch-source:1.9 Jenkins:2.7 Priority: Major Reporter: Allan BURDAJEWICZ The scan user needs Write permission on a repository: to be able to update the commit status via GitHub Branch Source (see GitHubBuildStatusNotification) to check whether a PR/Branch is trusted (see GitHubSCMSource) Grant a single user with Write permissions to all organization repositories is a security concern. Git writes and status updates could instead be handle inside the Pipeline/Jenkinsfile. This request is about a configurable solution so that a scan user don’t need Read permissions to scan PR/Branches.
