buildbot-nix
buildbot-nix copied to clipboard
nix-community
Fine-Grained Personal Access Tokens don't need `repo:admin`
README.md assumes "classic" PATs. During set up of buildbot-nix, @Erethon and me noticed that it would probably be enough to create a Fine-Grained Personal Access Token with the following permissions for the buildbot GitHub Account:
- Repository Permissions for "Webhooks" (read and write).
- Repository Permissions for "Commit Statuses" (read and write).
- Repository Permissions for "Contents" (read). We are configuring a public repo, so did not have to set this, but I guess that this is what would be needed for a private repo. StackOverflow seems to agree.
The account also needs "Write" Permissions on the repository. This seems to work fine. What's preventing their use is an explicit check in buildbot-nix that guards repository discovery:
https://github.com/Mic92/buildbot-nix/blob/077a60a5d040f7161c50a83d827db77a2a68ed9f/buildbot_nix/github_projects.py#L270-L274
This checking method is incompatible with Fine-Grained PATs. The response looks like this:
{ "permissions": { "admin": false, "maintain": false, "push": false, "triage": false, "pull": true } }
One downside of Fine-Grained PATs is that such a check apparently cannot be implemented.
However, in case buildbot runs into a HTTP 401, it cloud also expose the contents of the response header X-Accepted-GitHub-Permissions in the logs:
To help you choose the correct permissions, you will receive the
X-Accepted-GitHub-Permissionsheader in the REST API response. The header will tell you what permissions are required in order to access the endpoint.
A benefit is that, well, it's true that permissions can be set in a much more fine grained way. It avoids having to give the bot user account admin permissions on the repo(s).
Our workaround was to switch buildbot from a "classic" PAT to a Fine-Grained PAT after it had installed the Webhook. Another option would of course be to patch away the above check.
Here's how that looks in Org settings at https://github.com/organizations/${NAME}/settings/personal-access-tokens/:
@MagicRB is it still on your agenda to convert buildbot-nix into only using the GitHub app for everything?
Yep, I should get to it this weekend
@MagicRB is it still on your agenda to convert buildbot-nix into only using the GitHub app for everything?
Was planning to start earlier, but then my parents came to visit and then right after I got sick. So that ate two weeks :)
@MagicRB you can steal the code for re-newing GITHUB_TOKEN's from an github app from here: https://github.com/NixOS/nixpkgs-merge-bot/blob/1aad9bf9b570889da6555650f82d670fc2f73658/nixpkgs_merge_bot/github/GitHubClient.py#L218
You want to use buildbot's secret backend likely because than you can read the token from a file. Those github tokens need to be refresh every hour or so. Last time I read the buildbot code, I think there was one case where it wouldn't use the secret backend and cache the the token - but we can probably patch and upstream the fix. Unfortunately I don't recall where this was the case and if it was fixed.
The PR exists, the code is in place, a mess has been created: #156
Next step: refactoring