this was brought up in issue #75
when GitHub enterprise is run in private mode it prevents using git:// to clone public projects. This means every repository should be treated as a private repository -- using the git@ url and adding the ssh deploy key.
You still can use http to clone repos when GH:E is in private mode. It would only require an oauth token with the right privileges. Using oauth tokens is easier to manage, since you don't have to add the deploy key to every repo, and probably more secure, since revoking access only requires you to remove the grant for the token in your organization.
yes, we can definitely alter our approach to use the github oauth token. In this case I think we'll want to generate a .netrc file to store the credentials in the container. This would allow an individual to clone multiple private repositories as part of their build script without embedding credentials in the .drone.yml file.
we need to rework our git logic anyway to support caching:
I wanted to document a conversation I'm having on our mailing list. It looks like GitHub now offers admin:repo_hook which means we can probably re-think our scopes and require much less invasive permissions.
I think we should use these scopes:
admin:repo_hook -> this allows us to write hooks to the repo
repo:status -> this allows us to write the build status to github
user:email -> this allows us to retrieve the user details, including the email
We wouldn't be able to add an SSH key to the repository with the above scopes, however, this would be resolved (as mentioned above) by using the OAuth token to clone the repository, using the https address:
git clone https://<token>:email@example.com/owner/repo.git
I believe the .netrc will still be very important. We'll need to ensure we can clone private dependencies (when using things like go get, for example). We'll need to account for this when generating our build container.
We'll also need to add the username/password to the build.Builder.Repo somewhere in the queue (I think).
I'm modifying the title of this issue to reflect the revised goal and solution
Maybe I spoke too soon... It looks like to clone a repository we still need to request the repo scope, which requires read/write access to a repository.
I see GitHub has been doing a lot of work to add more fine-grained scopes. @calavera are there plans to create a scope that can clone a repository without requiring write access? something like repo:read?
Yes, the lack of a repo:read scope was the main roadblock I ran into when I was investigating this. Having that scope would be very useful.
AFAIK, the only way right now to clone a private repository without also requiring write access was to create a "machine user" with read-only permissions to the repository, which was the workaround I suggested on the mailing list. Unfortunately this user cannot create commit status and repo hooks on the organization's private repos.
Yep, the GitHub team has clearly been putting a lot of effort into security and scopes, which is awesome. I wouldn't be surprised if repo:read was on their roadmap. Hopefully @calavera has some inside information he can share :)
Would it be possible to let the user choose public_repo instead of only repo? I don't need drone.io for my private projects.
fixed by #1511