-
Notifications
You must be signed in to change notification settings - Fork 24.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(dev-infra): merge script should not always require full repo permissions #37718
fix(dev-infra): merge script should not always require full repo permissions #37718
Conversation
8841384
to
4dd510e
Compare
…issions We recently added OAuth scope checking to the dev-infra Git client and started leveraging it for the merge script. We set the `repo` scope as required for running the merge script. We can loosen this requirement as in the Angular org where the script is consumed, only pull requests on public repositories are merged through the script. This should help with reducing the risk with compromised tokens as no access had to be granted on `repo:invite`, `repo_deployment` etc.
4dd510e
to
0e3b2ed
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just one more high level question I wanted to make sure we think through.
@devversion Removed the cleanup and merge labels, so that you can mark for merge once you are ready. |
Hi @devversion, this PR had some conflicts with the patch branch, so I merged it to master only. Could you please create a new PR that targets a patch branch? Thank you. |
* upstream/master: (861 commits) ci: decrease payload size limit for integration tests (angular#37784) fix(core): error when invoking callbacks registered via ViewRef.onDestroy (angular#37543) fix(core): don't consider inherited NG_ELEMENT_ID during DI (angular#37574) ci: decrease expected AIO and integration payload sizes (angular#36578) (angular#36578) fix(core): determine required DOMParser feature availability (angular#36578) (angular#36578) refactor(core): split inert strategies to separate classes (angular#36578) (angular#36578) fix(core): do not trigger CSP alert/report in Firefox and Chrome (angular#36578) (angular#36578) fix(language-service): incorrect autocomplete results on unknown symbol (angular#37518) docs: release notes for the v10.0.1 release ci: exclude "docs" commit type from minBodyLength commit message validation (angular#37764) feat(dev-infra): add support for minBodyLengthTypeExcludes to commit-message validation (angular#37764) feat(platform-browser): Allow `sms`-URLs (angular#31463) refactor(core): throw more descriptive error message in case of invalid host element (angular#35916) build: move shims_for_IE to third_party directory (angular#37624) refactor(compiler-cli): Remove any cast for CompilerHost (angular#37079) fix(language-service): reinstate getExternalFiles() (angular#37750) docs: correct outdated dev instructions for public api golds (angular#37026) docs: add note about the month being zero-based in the Date constructor (angular#37770) fix(dev-infra): merge script should not always require full repo permissions (angular#37718) fix(dev-infra): support running scripts from within a detached head (angular#37737) ...
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
…issions (angular#37718) We recently added OAuth scope checking to the dev-infra Git client and started leveraging it for the merge script. We set the `repo` scope as required for running the merge script. We can loosen this requirement as in the Angular org where the script is consumed, only pull requests on public repositories are merged through the script. This should help with reducing the risk with compromised tokens as no access had to be granted on `repo:invite`, `repo_deployment` etc. PR Close angular#37718
We recently added OAuth scope checking to the dev-infra Git client
and started leveraging it for the merge script. We set the
repo
scopeas required for running the merge script. We can loosen this requirement
as in the Angular org where the script is consumed, only pull requests on
public repositories are merged through the script.
This should help with reducing the risk with compromised tokens as no
access had to be granted on
repo:invite
,repo_deployment
etc.