minder icon indicating copy to clipboard operation
minder copied to clipboard
verified publisher icon stacklok

GitHub App can only list public containers from repo

Open eleftherias opened this issue 1 year ago • 3 comments

GitHub fine grained tokens, including the tokens generated by a GitHub Apps, do not have access to list all the containers associated with a repository.

In Minder's implementation of the GitHub App provider, we use a fallback token in order to list the containers associated with a repository. https://github.com/stacklok/minder/blob/f716baa8d6e97a5ef246c8afe1176dc8c44b07df/internal/providers/github/common.go#L169 However, this token only has access to public packages on public repos.

This is a limitation of the GitHub packages API. There is currently no issue in the GitHub backlog that is tracking this feature, but is related to https://github.com/github/roadmap/issues/558.

eleftherias avatar May 08 '24 14:05 eleftherias

@ethomson -- is this something we want to spend influence with GitHub on?

evankanderson avatar Jul 30 '24 13:07 evankanderson

I've yelled about it to the PM, I'll yell about it some more, but it doesn't seem like something they're likely to fix in the near term.

ethomson avatar Jul 30 '24 14:07 ethomson

This is a real and valid issue, still.

evankanderson avatar Dec 03 '24 14:12 evankanderson