wpt.fyi icon indicating copy to clipboard operation
wpt.fyi copied to clipboard

Published 20 hours ago verified publisher icon web-platform-tests

[pyup] Update pyup bot's GitHub token

Open KyleJu opened this issue 4 years ago • 7 comments

Robert has left the team and the GitHub token needs to be updated. https://github.com/web-platform-tests/wpt.fyi/pull/2330

KyleJu avatar Jan 12 '21 05:01 KyleJu

This bug report is a bit light on details...

  1. Is something actually broken due to this? pyup bot appears to be successfully making PRs: https://github.com/web-platform-tests/wpt.fyi/pull/2337
  2. How do we configure pyup-bot to use a different GitHub token? Where is pyup configured for wpt.fyi?

stephenmcgruer avatar Jan 12 '21 16:01 stephenmcgruer

Oops sorry about that

This bug report is a bit light on details...

  1. Is something actually broken due to this? pyup bot appears to be successfully making PRs: #2337

Nothing is broken due to this. However if you look at the bottom of https://github.com/web-platform-tests/wpt.fyi/pull/2330, the user who deleted that PR was Robert. @Hexcles Hexcles deleted the py-scheduled-update-2021-01-04

  1. How do we configure pyup-bot to use a different GitHub token? Where is pyup configured for wpt.fyi?

The configuration file for pyup-bot is here. IIUC, Robert needs to remove himself from the pyup.io account and we have to create a new pyup.io account

KyleJu avatar Jan 14 '21 06:01 KyleJu

Actually I am able to log into our repo here https://pyup.io/auth/github/login/. Let me see how I can update the GitHub token

KyleJu avatar Jan 14 '21 07:01 KyleJu

Cannot find anywhere to update GitHub token but it does say I cannot remove the wpt.fyi repo from pyup because Robert created it

KyleJu avatar Jan 14 '21 07:01 KyleJu

Hmm interesting. I actually didn't know it was using my personal access token. It can -- it asked for public_repo scope: image

However, it should really use its own bot account (it clearly has the permission to create branches, so it should be able to delete branches as well). You can see similar cases in the WPT repo: https://github.com/web-platform-tests/wpt/pull/23513#event-3325911693

Now I'm a bit hesitant to click the revoke button as I don't really understand what the warning means: image Note that there is only a single button to revoke all public repos including WPT. I don't know what'd happen to WPT (I'd expect it not to be affected, as it seems to be using gsnedders' token).

We could do an experiment in a coordinated way, or perhaps someone could reach out to pyup support and ask for clarification (I can't find docs).

Hexcles avatar Feb 09 '21 16:02 Hexcles

Thanks Robert, appreciate you checking so thoroughly.

perhaps someone could reach out to pyup support and ask for clarification (I can't find docs).

@KyleJu - can you open an issue against pyup and ask why branch deletions appear as the user who originally setup pyup, rather than using its own bot account (which appears to be the thing used to create branches and pull requests)?

stephenmcgruer avatar Feb 12 '21 13:02 stephenmcgruer

Thanks Robert, appreciate you checking so thoroughly.

perhaps someone could reach out to pyup support and ask for clarification (I can't find docs).

@KyleJu - can you open an issue against pyup and ask why branch deletions appear as the user who originally setup pyup, rather than using its own bot account (which appears to be the thing used to create branches and pull requests)?

Yea I will file an issue

KyleJu avatar Feb 12 '21 18:02 KyleJu

Obsolete

KyleJu avatar Mar 02 '23 22:03 KyleJu