MeeseeksDev icon indicating copy to clipboard operation
MeeseeksDev copied to clipboard

Published 20 hours ago verified publisher icon MeeseeksBox

Decrease bot permission

Open Carreau opened this issue 3 years ago • 1 comments

One of the goal for mr meeseeks is to not have write permission to repositories for security reason as most actions are done via the meeseeksmachine user though it currently have write permission via "content".

Contents 
Repository contents, commits, branches, downloads, releases, and merges.

But also only to "pull requests"

Pull requests 
Pull requests and related comments, assignees, labels, milestones, and merges.

See https://github.com/organizations/MeeseeksBox/settings/apps/meeseeksdev/permissions if you have access.

I'd like to discuss what we can do to disable global write access to content, and which action it can perform that would be affected. For example I don't know if code reformatting on PR requires "content" access or "Pull requests" access.

Carreau avatar Apr 16 '22 10:04 Carreau

As I understand it, the "Pull requests" access allows you to edit metadata about the Pull Request itself (labels, title, comments, etc). We need contents access on the org to "push as maintainer" to the branch, or contents access from the requestor to push directly to their fork.

blink1073 avatar Apr 18 '22 11:04 blink1073