github-bot icon indicating copy to clipboard operation
github-bot copied to clipboard
verified publisher icon nodejs

feature: github event logging

Open jbergstroem opened this issue 9 years ago • 7 comments

Read all events from github (from commits to pushes to merges to acl, etc) and store them in a database for later use. The idea here is to be able to:

  • investigate security incidents (audits -- warn on force pushes, suspicious activity, etc)
  • show interesting statistics, perhaps even part of nodejs.org (pushes day/interesting people/new joins/etc)

jbergstroem avatar Sep 07 '16 17:09 jbergstroem

https://www.githubarchive.org keeps track of the events.

Additionally, I have a project that is tracking all of the everts which I import to a postgres database. Still a WIP.

williamkapke avatar Sep 24 '16 18:09 williamkapke

@williamkapke (ref gharchive) thats just public and not stuff like team changes. We want all the stuff.

jbergstroem avatar Sep 24 '16 23:09 jbergstroem

@jbergstroem I was under the impression that the TSC wouldn't approve an org wide hook... but open an issue and find out for certain! It would really make things easier.

williamkapke avatar Sep 26 '16 17:09 williamkapke

@williamkapke i don't know the permissions well enough but was hoping we'd at least have a read-only option for the event logging scenario.

jbergstroem avatar Sep 26 '16 17:09 jbergstroem

The new integration feature seems to have read-only for everything. Such an integration could be created by the organization, giving the org admins all the control they need. And given the fact that it would be created and hosted by us, there's surely reason to challenge the no org wide hook policy.

All the "no access" buttons below can be set to "read-only":

image

phillipj avatar Sep 26 '16 18:09 phillipj

... Anyhow, all I know is that there's private stuff in the Security repo that a few people said they didn't want broadcast anywhere. Integrations won't change that. I'm only the messenger... I'll let them speak up for themselves beyond this. ;)

williamkapke avatar Sep 26 '16 21:09 williamkapke

No worries, not trying to shoot down the messenger.

IMO there's a big difference in 3rd party integrations and integrations we create ourselves. Thinking about it, whenever I've heard about the no org wide webhook policy, there's been emphasis on 3rd party webhooks.

On Monday, 26 September 2016, William Kapke [email protected] wrote:

... Anyhow, all I know is that there's private stuff in the Security repo that a few people said they didn't want broadcast anywhere. Integrations won't change that. I'm only the messenger... I'll let them speak up for themselves beyond this. ;)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/nodejs/github-bot/issues/73#issuecomment-249709670, or mute the thread https://github.com/notifications/unsubscribe-auth/ABLLE8N4PO3NxFCJR0wEhM49UKvtJFpYks5quD-ZgaJpZM4J3JlS .

phillipj avatar Sep 27 '16 05:09 phillipj