During yesterday meeting I forgot to bring up the topic of GitHub apps. During the preparation of https://docs.google.com/forms/d/e/1FAIpQLSckxxUeAWKwUzjju6ftDjPeNWVWT_2_Y7md...
I stumbled upon
https://developer.github.com/apps/getting-started-with-building-apps/
and according the graph, it is straightforward that we likely want to use GitHub App with OAuthApp, which is IMHO best from security POV and both from developer and user perspective.
Comments?
Mirek
On Wednesday, March 21, 2018 10:32:08 AM CET Miroslav Suchý wrote:
During yesterday meeting I forgot to bring up the topic of GitHub apps. During the preparation of https://docs.google.com/forms/d/e/1FAIpQLSckxxUeAWKwUzjju6ftDjPeNWVWT_2_Y7md...
I stumbled upon
https://developer.github.com/apps/getting-started-with-building-apps/
and according the graph, it is straightforward that we likely want to use GitHub App with OAuthApp, which is IMHO best from security POV and both from developer and user perspective.
Comments?
IMO GitHub App is enough. Usual workflow would be to:
1. create the GitHub App 2. .. with good-enough fine-grained permissions (usually "Read and write access to commit statuses" is enough) 3. grant that app access only to particular repository(ies) 4. store **only** the **app** credentials into copr
In such case, there's almost nothing to worry about basically. So there shouldn't be reason to not have the feature from security POV.
OTOH, to make this somewhat useful, we have to have much better support for GitHub Pull requests. But yes, this is basically absolutely necessary feature if we want to - securely submit copr build for PR in github (via webhook) and - let the "CI bits" in github PR updated automatically by Copr
Pavel
On Wednesday, March 21, 2018 12:36:25 PM CET Miroslav Suchý wrote:
Dne 21.3.2018 v 12:28 Pavel Raiskup napsal(a):
4. store **only** the **app** credentials into coprYes. Only one app for all projects and all githubs and individual permission for each specific Github is granted via OAuth.
GitHub OAuth:
pros: users don't have to create custom app (a few clicks anyway) cons: that app has complete access to the repo, even push
GitHub App:
pros: users can grant the app to e.g. only set the "CI flags" in PR cons: users have to create the custom app in web-ui
To me, we should support both ways (oauth for convenience of users).. but I voted for non-OAuth as that's the only option I would _personaly_ accept.
Pavel
The chart says that we likely want to use GitHub App. It doesn't matter which way go, you always end up with GitHub App because of "Access everything? No".
Also, they say this, in the document
Using OAuth Apps - An OAuth App should always act as the authenticated GitHub user,
across all of GitHub
- Don't build an OAuth App if you want your application to act on a
single repository. With the repo OAuth scope, OAuth apps can act on all of the authenticated user's repositories.
I have a question about a user-friendliness of these two - GitHub App vs OAuth App. I am reading through tons of docs, but can't find the answer anywhere. Do I understand it right, that in case of GitHub App, every user will need to create his own app to get a new access token and put that into Copr, but in case of OAuth app, *we* will create an application, put it somehow into https://github.com/works-with and then a user will just one-click to allow it and then everything will automagically work?
In such case, OAuth apps may be worth it even though the permission restriction possibilities are limited ( https://developer.github.com/apps/building-oauth-apps/scopes-for-oauth-apps/ )
Jakub
On Wed, Mar 21, 2018 at 12:57 PM, Pavel Raiskup praiskup@redhat.com wrote:
On Wednesday, March 21, 2018 12:36:25 PM CET Miroslav Suchý wrote:
Dne 21.3.2018 v 12:28 Pavel Raiskup napsal(a):
4. store **only** the **app** credentials into coprYes. Only one app for all projects and all githubs and individual
permission
for each specific Github is granted via OAuth.
GitHub OAuth:
pros: users don't have to create custom app (a few clicks anyway) cons: that app has complete access to the repo, even pushGitHub App:
pros: users can grant the app to e.g. only set the "CI flags" in PR cons: users have to create the custom app in web-uiTo me, we should support both ways (oauth for convenience of users).. but I voted for non-OAuth as that's the only option I would _personaly_ accept.
Pavel
copr-devel mailing list -- copr-devel@lists.fedorahosted.org To unsubscribe send an email to copr-devel-leave@lists.fedorahosted.org
On Thursday, March 22, 2018 11:31:23 AM CET Jakub Kadlcik wrote:
The chart says that we likely want to use GitHub App. It doesn't matter which way go, you always end up with GitHub App because of "Access everything? No".
Also, they say this, in the document
Using OAuth Apps - An OAuth App should always act as the authenticated GitHub user,
across all of GitHub
- Don't build an OAuth App if you want your application to act on asingle repository. With the repo OAuth scope, OAuth apps can act on all of the authenticated user's repositories.
I have a question about a user-friendliness of these two - GitHub App vs OAuth App. I am reading through tons of docs, but can't find the answer anywhere. Do I understand it right, that in case of GitHub App, every user will need to create his own app to get a new access token and put that into Copr, but in case of OAuth app, *we* will create an application, put it somehow into https://github.com/works-with and then a user will just one-click to allow it and then everything will automagically work?
- _I think_ that you can _only_ share GitHub OAuth App on GitHub's "Marketplace". Go to Settings -> Developer settings -> OAuth Apps -> <THE APP> -> "List this application in the Marketplace"
- I'm not sure whether we can implement OAuth in one-click fashion for the user, but I have to admit that I haven't gone that far with the research (I only played with GitHub Apps, and those work pretty well for the usecase).
In such case, OAuth apps may be worth it even though the permission restriction possibilities are limited ( https://developer.github.com/apps/building-oauth-apps/scopes-for-oauth-apps/ )
Right. Maybe that's not an issue, who knows (TravisCI or CircelCI seems to be implemented this way, and people trust them, so why wouldn't they trust the Copr?). For me it would be crucial whether the application (== copr) works under it's own name, say "Copr CI Bot" or it does something (or can) under my nick-name... If it has it's own identity, I would be fine.
Pavel
Jakub
On Wed, Mar 21, 2018 at 12:57 PM, Pavel Raiskup praiskup@redhat.com wrote:
On Wednesday, March 21, 2018 12:36:25 PM CET Miroslav Suchý wrote:
Dne 21.3.2018 v 12:28 Pavel Raiskup napsal(a):
4. store **only** the **app** credentials into coprYes. Only one app for all projects and all githubs and individual
permission
for each specific Github is granted via OAuth.
GitHub OAuth:
pros: users don't have to create custom app (a few clicks anyway) cons: that app has complete access to the repo, even pushGitHub App:
pros: users can grant the app to e.g. only set the "CI flags" in PR cons: users have to create the custom app in web-uiTo me, we should support both ways (oauth for convenience of users).. but I voted for non-OAuth as that's the only option I would _personaly_ accept.
Pavel
copr-devel mailing list -- copr-devel@lists.fedorahosted.org To unsubscribe send an email to copr-devel-leave@lists.fedorahosted.org
On Thu, Mar 22, 2018 at 2:13 PM, Pavel Raiskup praiskup@redhat.com wrote:
On Thursday, March 22, 2018 11:31:23 AM CET Jakub Kadlcik wrote:
The chart says that we likely want to use GitHub App. It doesn't matter which way go, you always end up with GitHub App because of "Access everything? No".
Also, they say this, in the document
Using OAuth Apps - An OAuth App should always act as the authenticated GitHub user,
across all of GitHub
- Don't build an OAuth App if you want your application to act on asingle repository. With the repo OAuth scope, OAuth apps can act on all of the authenticated user's repositories.
I have a question about a user-friendliness of these two - GitHub App vs OAuth App. I am reading through tons of docs, but can't find the answer anywhere. Do I understand it right, that in case of GitHub App, every user will need to create his own app to get a new access token and put that into Copr, but in case of OAuth app, *we* will create an application, put it somehow into https://github.com/works-with and then a user will just one-click to allow it and then everything will automagically work?
_I think_ that you can _only_ share GitHub OAuth App on GitHub's "Marketplace". Go to Settings -> Developer settings -> OAuth Apps -> <THE APP> -> "List this application in the Marketplace"
I'm not sure whether we can implement OAuth in one-click fashion for the user, but I have to admit that I haven't gone that far with the research (I only played with GitHub Apps, and those work pretty well for the usecase).
In such case, OAuth apps may be worth it even though the permission restriction possibilities are limited ( https://developer.github.com/apps/building-oauth-apps/scopes-for-oauth-apps/ )
Right. Maybe that's not an issue, who knows (TravisCI or CircelCI seems to be implemented this way, and people trust them, so why wouldn't they trust the Copr?). For me it would be crucial whether the application (== copr) works under it's own name, say "Copr CI Bot" or it does something (or can) under my nick-name... If it has it's own identity, I would be fine.
As for token-based authentication described here:
https://developer.github.com/apps/differences-between-apps/#token-based-iden...
Github App: An installation token identifies the app as the GitHub Apps bot, such as @jenkins-bot.
OAuth App: An access token identifies the app as the user who granted the token to the app, such as @octocat.
Pavel
Jakub
On Wed, Mar 21, 2018 at 12:57 PM, Pavel Raiskup praiskup@redhat.com wrote:
On Wednesday, March 21, 2018 12:36:25 PM CET Miroslav Suchý wrote:
Dne 21.3.2018 v 12:28 Pavel Raiskup napsal(a):
4. store **only** the **app** credentials into coprYes. Only one app for all projects and all githubs and individual
permission
for each specific Github is granted via OAuth.
GitHub OAuth:
pros: users don't have to create custom app (a few clicks anyway) cons: that app has complete access to the repo, even pushGitHub App:
pros: users can grant the app to e.g. only set the "CI flags" in PR cons: users have to create the custom app in web-uiTo me, we should support both ways (oauth for convenience of users).. but I voted for non-OAuth as that's the only option I would _personaly_ accept.
Pavel
copr-devel mailing list -- copr-devel@lists.fedorahosted.org To unsubscribe send an email to copr-devel-leave@lists.fedorahosted.org
copr-devel mailing list -- copr-devel@lists.fedorahosted.org To unsubscribe send an email to copr-devel-leave@lists.fedorahosted.org
On Wednesday, March 21, 2018 10:32:08 AM CET Miroslav Suchý wrote:
https://docs.google.com/forms/d/e/1FAIpQLSckxxUeAWKwUzjju6ftDjPeNWVWT_2_Y7md...
Do you plan to share this on fedora devel list?
Pavel
copr-devel@lists.fedorahosted.org
-
Jakub Kadlcik -
Michal Novotny -
Miroslav Suchý -
Pavel Raiskup