New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
contrib: Allow use of github API authentication in github-merge #15165
Conversation
Print detailed error, this makes it easier to diagnose github API issues.
Sometimes it can be useful to use github-merge with read-only access (say, for reviewing and testing).
The API request limit for unauthenticated requests is quite low. I started running into rate limiting errors. The limit for authenticated requests is much higher. This patch adds an optional configuration setting `user.ghtoken` that, when set, is used to authenticate requests to the API.
72fd012
to
f1bd219
Compare
Concept ACK. I have the same local patches, but probably did it less clean. Will take a look later. |
@@ -119,7 +119,25 @@ Configuring the github-merge tool for the bitcoin repository is done in the foll | |||
|
|||
git config githubmerge.repository bitcoin/bitcoin | |||
git config githubmerge.testcmd "make -j4 check" (adapt to whatever you want to use for testing) | |||
git config --global user.signingkey mykeyid (if you want to GPG sign) | |||
git config --global user.signingkey mykeyid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the (if you want to GPG sign)
intentionally here. I know it's unrelated to this patch, but GPG signing has been mandatory for forever and I don't think this one-line doc change warrants another commit.
FWIW: There was some discussion on IRC about storing authentication tokens in the git configuration. According to @promag this is not a good idea (I guess because some people have these files under version control?). He suggests using an environment variable instead. I'm not sure if this is a good idea because environment variables 'leak' through What I use myself is
Then the secrets files (with very restricted permissions) contains the ghtoken, and SMTP authentication for sending mail (for sending Linux patches). |
It is a read-only token, so the worst thing that could happen is that someone can get you rate-limited? |
utACK @MarcoFalke It's whatever perms you set on the token. It seems like GitHub allows you to create permission-less tokens. So it shouldn't even have read access, if you create it as such. So in that case, yes. The worst thing is someone uses up all your requests and you get rate limited again. |
Link to GitHub documentation on this: Very small nit: you could also set User-Agent here. GitHub requires a User-Agent to be set for all API requests. I don't know of a case where |
I think it's wise to set as little privileges on the token as possible. This is why in the documentation I suggest creating a token without extra privileges.
urllib (in Python 3.x, which is the only version supported) sets the User Agent to |
Yes, totally. I wasn't trying to say to do anything different. Just saying that if you screw up and give the token full access, your attack surface is full access.
Yeah, that will definitely work and I don't see that changing. Just making a comment about User-Agent requirements if we wanted to be explicit about setting it. |
utACK |
Concept ACK
👍 |
I think one argument for setting a custom User Agent here, other than the default python one, would be so that github knows what is using their API—simply by googling the UA string. But that starts to be relevant for scripts that generate a lot of traffic. |
…ub-merge f1bd219 contrib: Allow use of github API authentication in github-merge (Wladimir J. van der Laan) a4c5bbf contrib: Add support for http[s] URLs in github-merge (Wladimir J. van der Laan) 059a3cf contrib: Detailed reporting for http errors in github-merge (Wladimir J. van der Laan) Pull request description: Three commits I had locally for `github-merge.py`: - *Detailed reporting for http errors in github-merge*: Print detailed error, this makes it easier to diagnose github API issues. - *Add support for http[s] URLs in github-merge*: Sometimes it can be useful to use github-merge with read-only access (say, for reviewing and testing from untrusted VMs). - *Allow use of github API authentication in github-merge*: The API request limit for unauthenticated requests is quite low. I started running into rate limiting errors. The limit for authenticated requests is much higher. This patch adds an optional configuration setting `user.ghtoken` that, when set, is used to authenticate requests to the API. Tree-SHA512: ca8ae1874a787263e49d915d7cf31c0c0f50aba229c9440265bf1fda69f7e00641d1492512b93d76c17ff1766859283d640d37770acb120898736ad97efbd5c2
post-merge utACK bcdd31f |
…in github-merge f1bd219 contrib: Allow use of github API authentication in github-merge (Wladimir J. van der Laan) a4c5bbf contrib: Add support for http[s] URLs in github-merge (Wladimir J. van der Laan) 059a3cf contrib: Detailed reporting for http errors in github-merge (Wladimir J. van der Laan) Pull request description: Three commits I had locally for `github-merge.py`: - *Detailed reporting for http errors in github-merge*: Print detailed error, this makes it easier to diagnose github API issues. - *Add support for http[s] URLs in github-merge*: Sometimes it can be useful to use github-merge with read-only access (say, for reviewing and testing from untrusted VMs). - *Allow use of github API authentication in github-merge*: The API request limit for unauthenticated requests is quite low. I started running into rate limiting errors. The limit for authenticated requests is much higher. This patch adds an optional configuration setting `user.ghtoken` that, when set, is used to authenticate requests to the API. Tree-SHA512: ca8ae1874a787263e49d915d7cf31c0c0f50aba229c9440265bf1fda69f7e00641d1492512b93d76c17ff1766859283d640d37770acb120898736ad97efbd5c2
…in github-merge f1bd219 contrib: Allow use of github API authentication in github-merge (Wladimir J. van der Laan) a4c5bbf contrib: Add support for http[s] URLs in github-merge (Wladimir J. van der Laan) 059a3cf contrib: Detailed reporting for http errors in github-merge (Wladimir J. van der Laan) Pull request description: Three commits I had locally for `github-merge.py`: - *Detailed reporting for http errors in github-merge*: Print detailed error, this makes it easier to diagnose github API issues. - *Add support for http[s] URLs in github-merge*: Sometimes it can be useful to use github-merge with read-only access (say, for reviewing and testing from untrusted VMs). - *Allow use of github API authentication in github-merge*: The API request limit for unauthenticated requests is quite low. I started running into rate limiting errors. The limit for authenticated requests is much higher. This patch adds an optional configuration setting `user.ghtoken` that, when set, is used to authenticate requests to the API. Tree-SHA512: ca8ae1874a787263e49d915d7cf31c0c0f50aba229c9440265bf1fda69f7e00641d1492512b93d76c17ff1766859283d640d37770acb120898736ad97efbd5c2
…in github-merge f1bd219 contrib: Allow use of github API authentication in github-merge (Wladimir J. van der Laan) a4c5bbf contrib: Add support for http[s] URLs in github-merge (Wladimir J. van der Laan) 059a3cf contrib: Detailed reporting for http errors in github-merge (Wladimir J. van der Laan) Pull request description: Three commits I had locally for `github-merge.py`: - *Detailed reporting for http errors in github-merge*: Print detailed error, this makes it easier to diagnose github API issues. - *Add support for http[s] URLs in github-merge*: Sometimes it can be useful to use github-merge with read-only access (say, for reviewing and testing from untrusted VMs). - *Allow use of github API authentication in github-merge*: The API request limit for unauthenticated requests is quite low. I started running into rate limiting errors. The limit for authenticated requests is much higher. This patch adds an optional configuration setting `user.ghtoken` that, when set, is used to authenticate requests to the API. Tree-SHA512: ca8ae1874a787263e49d915d7cf31c0c0f50aba229c9440265bf1fda69f7e00641d1492512b93d76c17ff1766859283d640d37770acb120898736ad97efbd5c2
…in github-merge f1bd219 contrib: Allow use of github API authentication in github-merge (Wladimir J. van der Laan) a4c5bbf contrib: Add support for http[s] URLs in github-merge (Wladimir J. van der Laan) 059a3cf contrib: Detailed reporting for http errors in github-merge (Wladimir J. van der Laan) Pull request description: Three commits I had locally for `github-merge.py`: - *Detailed reporting for http errors in github-merge*: Print detailed error, this makes it easier to diagnose github API issues. - *Add support for http[s] URLs in github-merge*: Sometimes it can be useful to use github-merge with read-only access (say, for reviewing and testing from untrusted VMs). - *Allow use of github API authentication in github-merge*: The API request limit for unauthenticated requests is quite low. I started running into rate limiting errors. The limit for authenticated requests is much higher. This patch adds an optional configuration setting `user.ghtoken` that, when set, is used to authenticate requests to the API. Tree-SHA512: ca8ae1874a787263e49d915d7cf31c0c0f50aba229c9440265bf1fda69f7e00641d1492512b93d76c17ff1766859283d640d37770acb120898736ad97efbd5c2
…in github-merge f1bd219 contrib: Allow use of github API authentication in github-merge (Wladimir J. van der Laan) a4c5bbf contrib: Add support for http[s] URLs in github-merge (Wladimir J. van der Laan) 059a3cf contrib: Detailed reporting for http errors in github-merge (Wladimir J. van der Laan) Pull request description: Three commits I had locally for `github-merge.py`: - *Detailed reporting for http errors in github-merge*: Print detailed error, this makes it easier to diagnose github API issues. - *Add support for http[s] URLs in github-merge*: Sometimes it can be useful to use github-merge with read-only access (say, for reviewing and testing from untrusted VMs). - *Allow use of github API authentication in github-merge*: The API request limit for unauthenticated requests is quite low. I started running into rate limiting errors. The limit for authenticated requests is much higher. This patch adds an optional configuration setting `user.ghtoken` that, when set, is used to authenticate requests to the API. Tree-SHA512: ca8ae1874a787263e49d915d7cf31c0c0f50aba229c9440265bf1fda69f7e00641d1492512b93d76c17ff1766859283d640d37770acb120898736ad97efbd5c2
…in github-merge f1bd219 contrib: Allow use of github API authentication in github-merge (Wladimir J. van der Laan) a4c5bbf contrib: Add support for http[s] URLs in github-merge (Wladimir J. van der Laan) 059a3cf contrib: Detailed reporting for http errors in github-merge (Wladimir J. van der Laan) Pull request description: Three commits I had locally for `github-merge.py`: - *Detailed reporting for http errors in github-merge*: Print detailed error, this makes it easier to diagnose github API issues. - *Add support for http[s] URLs in github-merge*: Sometimes it can be useful to use github-merge with read-only access (say, for reviewing and testing from untrusted VMs). - *Allow use of github API authentication in github-merge*: The API request limit for unauthenticated requests is quite low. I started running into rate limiting errors. The limit for authenticated requests is much higher. This patch adds an optional configuration setting `user.ghtoken` that, when set, is used to authenticate requests to the API. Tree-SHA512: ca8ae1874a787263e49d915d7cf31c0c0f50aba229c9440265bf1fda69f7e00641d1492512b93d76c17ff1766859283d640d37770acb120898736ad97efbd5c2
…in github-merge f1bd219 contrib: Allow use of github API authentication in github-merge (Wladimir J. van der Laan) a4c5bbf contrib: Add support for http[s] URLs in github-merge (Wladimir J. van der Laan) 059a3cf contrib: Detailed reporting for http errors in github-merge (Wladimir J. van der Laan) Pull request description: Three commits I had locally for `github-merge.py`: - *Detailed reporting for http errors in github-merge*: Print detailed error, this makes it easier to diagnose github API issues. - *Add support for http[s] URLs in github-merge*: Sometimes it can be useful to use github-merge with read-only access (say, for reviewing and testing from untrusted VMs). - *Allow use of github API authentication in github-merge*: The API request limit for unauthenticated requests is quite low. I started running into rate limiting errors. The limit for authenticated requests is much higher. This patch adds an optional configuration setting `user.ghtoken` that, when set, is used to authenticate requests to the API. Tree-SHA512: ca8ae1874a787263e49d915d7cf31c0c0f50aba229c9440265bf1fda69f7e00641d1492512b93d76c17ff1766859283d640d37770acb120898736ad97efbd5c2
Three commits I had locally for
github-merge.py
:user.ghtoken
that, when set, is used to authenticate requests to the API.