microsoft-graph-devx-api icon indicating copy to clipboard operation
microsoft-graph-devx-api copied to clipboard
verified publisher icon microsoftgraph

Consider alternatives for reading OpenAPI and metadata dependencies

Open zengin opened this issue 3 years ago • 2 comments

Describe the bug Currently DevX API reads metadata and OpenAPI documents directly from msgraph-metadata GitHub repo, which makes it susceptible to issues like: https://github.com/microsoftgraph/msgraph-metadata/pull/172

Expected behavior Production sources should be guarded with additional checks than a mere write access to a GitHub repo, especially when an automated pipeline has direct write access (as in the case of generation process).

zengin avatar Jun 27 '22 23:06 zengin

agreed with this, there isn't sufficient access control.

ddyett avatar Jun 27 '22 23:06 ddyett

If we change the production of clean metadata to be based on the schemas folder, we will have the schemas update PR as a gate. Currently we are pulling from $metadata without a gate. Moving to the schemas will address a range of different issues.

darrelmiller avatar Sep 08 '22 14:09 darrelmiller