Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flag for manual review design doc #6138
Flag for manual review design doc #6138
Changes from 13 commits
02e3f8c
cdd178c
375099d
0c1f5dc
56b9b14
8656751
c7164ad
a1b7693
afe6eef
c8a2b88
51eccd3
50e096f
72a8d42
46a043b
52934c3
0f4922b
4091768
d609d45
8618817
c021a72
5015873
0e05484
8225b5c
de85478
510190b
03324b8
c41f349
11ae901
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the CircleCI docs:
who has SSH access to these builds?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding is that anyone who has an SSH public key on Github will be able to connect. I re-ran a job with SSH and this is what I see:
So anytime we deliberately kick off a job with SSH access, we should be able to see whoever connects to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
anyone with an SSH public key? So, that sounds to me like the GitHub bot auth token can be accessed by anyone?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found a more specific answer in the docs:
When I try to go to the project website in a private window it blocks me and forces me to authenticate with Github or Bitbucket.
I created a fake github account to test this and was able to login and view the project in Circle, but I can't even look at the project settings. I get errors when I try to follow the project, and I can't see the list of branches either. The option to trigger an SSH build is disabled as well:
After seeing all of this, I think that project access in circle requires an account to be a part of the Github organization that the repo is associated with. I've looked around at various settings to try to get a more definitive answer, but I'm not an organization admin in Circle so there are certain things I can't see. I wonder if this page would be helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://discuss.circleci.com/t/disable-ssh/31057 has a couple key things:
Related question to investigate: how often do we hand out
write
permission on vets-website/vets-api, or do we generally keep people's access toread
?This made me wonder, what kinds of access does our bot token have? Can we keep that as minimal as possible? (read-only + posting comments?).
Other possible idea: it sounds like contexts might be useful here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you know who gives
write
access to people?Our bot token has the
public_repo
scope. I believe that this is the least permissions that we can give it in order for it to do its job, but it does include write access for our public repos.Here is a relevant Slack thread.
Contexts are something that I haven't explored deeply. I'm interested to see how we could use them, but I don't have permissions to manage security groups so I'm a bit limited.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
VA has an entire GitHub admin group. you can also talk to @ricetj about longer-term strategy for ownership on these repos, or (more immediately helpful) see if you can track down an admin for
vets-website
andvets-api
to see how we've handed out write access so far. it's possible that most people just haveread
access and that this isn't a concern, butwrite
access is typically needed for managing issues, which might mean we've handed it out more broadly.hmm, this set of information is making me more and more concerned 😬
what does the bot need from
public_repo
that it can't get from(no scope)
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW- Write access is needed by a GitHub team for codeowners to trigger so every VFS member has write access to the repo.
All of the FE group on VSP has admin access.
Generally everyone has
write
access.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is cool