fix(dev-infra): merge script should not always require full repo permissions #37718
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
devversion
added
action: review
devversion
force-pushed
the
fix/dev-infra-require-only-public-repo-permission
branch
from
8841384
to
4dd510e
Compare
…issions We recently added OAuth scope checking to the dev-infra Git client and started leveraging it for the merge script. We set the `repo` scope as required for running the merge script. We can loosen this requirement as in the Angular org where the script is consumed, only pull requests on public repositories are merged through the script. This should help with reducing the risk with compromised tokens as no access had to be granted on `repo:invite`, `repo_deployment` etc.
devversion
changed the title
devversion
force-pushed
the
fix/dev-infra-require-only-public-repo-permission
branch
from
4dd510e
to
0e3b2ed
Compare
devversion
added
action: merge
josephperrott
approved these changes
Jun 25, 2020
josephperrott
added
action: cleanup
|
@devversion Removed the cleanup and merge labels, so that you can mark for merge once you are ready. |
AndrewKushnir
added
target: major
|
Hi @devversion, this PR had some conflicts with the patch branch, so I merged it to master only. Could you please create a new PR that targets a patch branch? Thank you. |
drewswanner
pushed a commit
to drewswanner/angular
that referenced
this pull request
Jun 29, 2020
* upstream/master: (861 commits) ci: decrease payload size limit for integration tests (angular#37784) fix(core): error when invoking callbacks registered via ViewRef.onDestroy (angular#37543) fix(core): don't consider inherited NG_ELEMENT_ID during DI (angular#37574) ci: decrease expected AIO and integration payload sizes (angular#36578) (angular#36578) fix(core): determine required DOMParser feature availability (angular#36578) (angular#36578) refactor(core): split inert strategies to separate classes (angular#36578) (angular#36578) fix(core): do not trigger CSP alert/report in Firefox and Chrome (angular#36578) (angular#36578) fix(language-service): incorrect autocomplete results on unknown symbol (angular#37518) docs: release notes for the v10.0.1 release ci: exclude "docs" commit type from minBodyLength commit message validation (angular#37764) feat(dev-infra): add support for minBodyLengthTypeExcludes to commit-message validation (angular#37764) feat(platform-browser): Allow `sms`-URLs (angular#31463) refactor(core): throw more descriptive error message in case of invalid host element (angular#35916) build: move shims_for_IE to third_party directory (angular#37624) refactor(compiler-cli): Remove any cast for CompilerHost (angular#37079) fix(language-service): reinstate getExternalFiles() (angular#37750) docs: correct outdated dev instructions for public api golds (angular#37026) docs: add note about the month being zero-based in the Date constructor (angular#37770) fix(dev-infra): merge script should not always require full repo permissions (angular#37718) fix(dev-infra): support running scripts from within a detached head (angular#37737) ...
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
profanis
pushed a commit
to profanis/angular
that referenced
this pull request
Sep 5, 2020
…issions (angular#37718) We recently added OAuth scope checking to the dev-infra Git client and started leveraging it for the merge script. We set the `repo` scope as required for running the merge script. We can loosen this requirement as in the Angular org where the script is consumed, only pull requests on public repositories are merged through the script. This should help with reducing the risk with compromised tokens as no access had to be granted on `repo:invite`, `repo_deployment` etc. PR Close angular#37718
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We recently added OAuth scope checking to the dev-infra Git client
and started leveraging it for the merge script. We set the
reposcopeas required for running the merge script. We can loosen this requirement
as in the Angular org where the script is consumed, only pull requests on
public repositories are merged through the script.
This should help with reducing the risk with compromised tokens as no
access had to be granted on
repo:invite,repo_deploymentetc.