gruntwork-installer
gruntwork-installer copied to clipboard
Reduce GitHub token scope needed to use gruntwork-install (from `repo` to `package:read`)
This issue is not valid - gruntworks modules are published via GitHub releases, not packages.
Hello 👋
My name is Peter and I work at FreeAgent. We use Gruntworks extensively - thanks for your great work, it helps us a lot! I've got one quick request to raise however:
Currently the gruntwork-installer
requires a GITHUB_OAUTH_TOKEN
to be able to access the gruntworks modules as they live in private GitHub repositories.
This GITHUB_OAUTH_TOKEN
currently needs to be a "Private Access Token" (link) with repo
access. This means that the token has full read & write access to all repositories that that user has access to.
Describe the solution you'd like
Following the principle of least privilege, would it be possible to alter the installer to only need a GITHUB_OAUTH_TOKEN
with read:package
access.
The binaries that are eventually installed (in the use cases I've come across) are published as packages to GitHub, but I think the gruntworks-installer fails because it queries the tags before installing (logs at the bottom).
This might require adding an optional parameter to manually specify the GitHub release?
Describe alternatives you've considered None
Additional context
The motivation behind wanting not to have a repo
scoped token in our pipeline is that we'd like to allow dependabot to create PR and run CI, but want to grant as few permissions to that workflow as possible to mitigate against a malicious package stealing tokens.
Failure log when using a GITHUB_OAUTH_TOKEN
scoped to only package:read
:
#8 0.830 2022-04-26 10:49:41 [INFO] [gruntwork-install] Installing gruntkms...
#8 1.048 [fetch] time="2022-04-26T10:49:41Z" level=error msg="\nReceived an HTTP 404 Response when attempting to query the repo for its tags.\n\nThis means that either no GitHub repo exists at the URL provided, or that you don't have permission to access it.\nIf the URL is correct, you may need to pass in a --github-oauth-token.\n\nUnderlying error message:\nReceived HTTP Response 404 while fetching releases for GitHub URL https://api.github.com/repos/gruntwork-io/gruntkms/tags?per_page=100. Full HTTP response: {\"message\":\"Not Found\",\"documentation_url\":\"https://docs.github.com/rest/reference/repos#list-repository-tags\"}\n\n"
#8 ERROR: process "/bin/sh -c curl -LSs https://raw.githubusercontent.com/gruntwork-io/gruntwork-installer/master/bootstrap-gruntwork-installer.sh | bash /dev/stdin --version \"$GRUNTWORK_INSTALLER_VERSION\" && gruntwork-install --repo \"[https://github.com/gruntwork-io/gruntkms\](https://github.com/gruntwork-io/gruntkms/)" --binary-name \"gruntkms\" --tag \"$GRUNTKMS_VERSION\"" did not complete successfully: exit code: 1
Hello again.
I've realised now that the gruntworks modules are published as releases (not packages) - which still need the repo
scope - they are not published as packages making this issue invalid with the way gruntworks patterns currently work.
I'll leave this issue open for you to triage (and close). Hopefully it might help document why the token is needed and perhaps might also spark some ideas about how to publish modules without needing quite as widely scoped a token - although GitHub make it quite hard to do it!
Thanks anyway.