auto-assign
auto-assign copied to clipboard
kentaro-m
Cannot assign GitHub team to reviews
Describe the bug I know this is a duplicate Issue, but I would like to discuss it with you.
The issues:
- https://github.com/kentaro-m/auto-assign/issues/102
- https://github.com/kentaro-m/auto-assign/issues/138
I am unable to assign GitHub team to reviewers.
To Reproduce I have been experimenting with this repository. https://github.com/reytech-co-jp/auto-assign-test
Steps to reproduce the behavior:
-
Create Organization and a team.
-
Create a repository.
-
Configure auto-assign and enable auto-assign to access the repository https://github.com/apps/auto-assign
-
Create
./.github/auto_assign.ymlin the repository https://github.com/reytech-co-jp/auto-assign-test/blob/main/.github/auto_assign.yml -
Invite the Team to join the Collaborator with Read access
-
Make a pull request and see no reviewers assigned https://github.com/reytech-co-jp/auto-assign-test/pull/18
Expected behavior I want the team to be assigned as reviewers.
Desktop (please complete the following information):
- macOS
- Chrome
Workaround
I have also considered GitHub's Code Review feature, but it is not available because I need to assign more than 3 people. https://docs.github.com/en/[email protected]/organizations/organizing-members-into-teams/managing-code-review-settings-for-your-team
Research
It seems necessary to change the permission settings as mentioned in this Issue. https://github.com/kentaro-m/auto-assign/issues/138#issuecomment-736012032
I suspect that a team with me can't be assigned to reviewers when I make a Pull Request.
Your help would be greatly appreciated. Thank you in advance.
@yoshi-koyama
Thank you for reporting the Issue.
I would like to share my understanding and thoughts on this Issue. Please let me know your opinion.
Current Status
The Team Assign feature works as code but is not enabled in the hosted app. To enable this feature, the developer (me) needs to add permissions to the app.
After that, the app user needs to give permission for the permission addition. This will be notified to all users of the app.
Alternatives
One way to enable the team assign feature is to self-host the app.
My thoughts
The reason I am not willing to add permissions is that the cost of running an app securely is high.
Security best practices for apps - GitHub Docs https://docs.github.com/en/developers/github-marketplace/creating-apps-for-github-marketplace/security-best-practices-for-apps
The apps I submit to the marketplace are hosted and managed by me. I patch my apps regularly to keep them secure. I also keep permissions to a minimum.
Additional permissions are required to enable the team assignment feature, but it allows the app to access more data.
It would be an unnecessary permission addition for users who do not want the team assignment feature. And with more data to handle, I will need to operate the app more carefully.
It also provides a way to activate the feature in the self-hosting of the app.
For those reasons, I haven't done that so far.
I have not thoroughly investigated the risk of adding permissions, and I think that is something we should look into. I also believe that documentation support for this issue is needed.
Thank you for your reply!
As you said, it seems to cost a lot that you enable this feature, and I understand that it does not fully follow Security best practices for apps. https://docs.github.com/en/developers/github-marketplace/creating-apps-for-github-marketplace/security-best-practices-for-apps
Apps should use the principle of least privilege and should only request the OAuth scopes and GitHub App permissions that the app needs to perform its intended functionality.
And,
I also believe that documentation support for this issue is needed.
I agree with you. It would be very appreciated if you can document it.
Now that my questions have been answered, you can close this issue. Thank you for your sincere support.
I created a pull request to modify README.md! https://github.com/kentaro-m/auto-assign/pull/209 I hope I can get a feedback from you :)