This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[PATCH dispatch.sr.ht] Use only necessary scopes for github tasks

Message ID
DKIM signature
Download raw message
Patch: +1 -1
Previously, dispatch.sr.ht required full access for the repo,
which raised questions in some projects and prevented them
to evaluate the service. This commit lowers permissions and now
service requires:

'write:repo_hook' - create a webhook
'repo:status' - commit statuses

It also adds the following scopes for the future:

'user:email' - send email
'repo_deployment' - deployment statuses
'read:org' - read-only access to organization's data

I've setup personal sr.ht instance and tested dispatch.sr.ht with 4 of
the mentioned permissions(without read:org, can test lower scope) here [1].
I'm not sure whether you need last three "future" permissions though.

[1] - https://github.com/kchibisov/srht-perms-tester
[docs] - https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/

 dispatchsrht/tasks/github/common.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dispatchsrht/tasks/github/common.py b/dispatchsrht/tasks/github/common.py
index 4f966c7..f6bef0b 100644
--- a/dispatchsrht/tasks/github/common.py
+++ b/dispatchsrht/tasks/github/common.py
@@ -40,7 +40,7 @@ def github_redirect(return_to):
    # TODO: Do we want to generalize the scopes?
    parameters = {
        "client_id": _github_client_id,
        "scope": "repo",
        "scope": "repo:status write:repo_hook user:email repo_deployment read:org",
        "state": return_to,
    return redirect("{}?{}".format(gh_authorize_url, urlencode(parameters)))
Message ID
<20200322125804.351141-1-contact@kchibisov.com> (view parent)
DKIM signature
Download raw message
Thank you! This is being deployed now.
Reply to thread Export thread (mbox)