Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use bot token to create org hook #24

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Use bot token to create org hook #24

wants to merge 2 commits into from

Conversation

heurtematte
Copy link
Contributor

Stop relying on eclipse webmaster token to create orgs hook but on bot token permission.
This means adding a new permission to bot token: admin:org_hook

@heurtematte heurtematte requested a review from fredg02 September 14, 2023 12:49
@heurtematte heurtematte force-pushed the feat/orghook_bot branch 2 times, most recently from c527985 to f87c87d Compare September 14, 2023 13:44
@fredg02
Copy link
Contributor

fredg02 commented Sep 18, 2023

From a security standpoint, this is a good idea, but it will require a lot of manual effort to add the admin:org_hook permission to every bot token. Also, bot tokens expire automatically if they have not been used in more than a year.

Unless there is an easier way to deal with bot token creation, it's going to be a -1 from me.

@heurtematte
Copy link
Contributor Author

it will require a lot of manual effort to add the admin:org_hook permission to every bot token.

Not necessary only apply to new bot creation.

Also, bot tokens expire automatically if they have not been used in more than a year.

I don't see any relation with this specific permission, it affects token in general.

I really want to avoid this code: https://github.com/eclipse-cbi/ci-admin/pull/24/files#diff-8cec566c9498b286ab6c717c83aa85b4a580f137fdaa032ae26cb799fd7f76cfL20

Storing an eclipsewebmaster token in cbi local pass.

@fredg02
Copy link
Contributor

fredg02 commented Sep 18, 2023

Not necessary only apply to new bot creation.

How do we set org level webhooks with existing bot token?

I don't see any relation with this specific permission, it affects token in general.

Yes, it affects token in general. So far, we don't rely on them though. So we can still set org level webhooks, even if a bot token expired.

@heurtematte
Copy link
Contributor Author

How do we set org level webhooks with existing bot token?

looking at the code and IIRC, this is already set on old token by using the eclipsewebmaster token.

@fredg02
Copy link
Contributor

fredg02 commented Sep 19, 2023

looking at the code and IIRC, this is already set on old token by using the eclipsewebmaster token.

Old bot tokens only have admin:repo_hook not admin:org_hook. And org level webhooks have not been set for all orgs yet.

@heurtematte
feat: use bot token to create org hook
fb29205 
Signed-off-by: sebastien.heurtematte <[email protected]>
@heurtematte
refactor: github webhook creation
633cdd4 
Signed-off-by: sebastien.heurtematte <[email protected]>
@heurtematte
Copy link
Contributor Author

In addition, the code has been refactored.

@heurtematte
Copy link
Contributor Author

@fredg02 gentle ping 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@netomi netomi netomi left review comments

@fredg02 fredg02 Awaiting requested review from fredg02

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@heurtematte @fredg02 @netomi