fix(github): drop capability scoping, use full installation scope#420
Merged
Conversation
Adds workflows.read and workflows.write to the GitHub plugin capabilities, and updates setup docs accordingly. Fixes #400 Action taken on behalf of David Cramer. --- [View Session in Sentry](https://sentry.sentry.io/traces/?project=4510944073809921&query=gen_ai.conversation.id%3A%22slack%3AC0AHB7N2JCR%3A1779917010.421049%22)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Capabilities were being translated into a scoped permissions object on every token mint, which meant any GitHub permission not listed would 403 even when the app installation had it. Since the installation is the real trust boundary, omit the permissions field entirely and let GitHub return a full-scope installation token. - Remove capabilities block from plugin.yaml - Broker skips permissions in token request when no capabilities declared - Capabilities still work for plugins that explicitly declare them - Update tests to reflect new no-scoping default Fixes #400
sentry-junior
Bot
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 34173ee. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The capabilities list in
plugin.yamlwas being translated into a scopedpermissionsobject on every token mint. This meant any GitHub permission not listed in capabilities would 403 — even when the app installation already had it. That's the wrong trust boundary.This PR:
capabilitiesblock fromplugin.yamlentirelypermissionsfrom the token request when no capabilities are declared — GitHub then issues a full-scope installation tokenWorkflows: Writeto setup docs, since that installation permission is needed to push workflow filescapabilitiesToPermissionsfunctional for any plugin that explicitly declares capabilitiesThe GitHub App installation settings remain the real permission boundary.
Changed:
packages/junior-github/plugin.yaml— capabilities block removedpackages/junior/src/chat/plugins/auth/github-app-broker.ts— permissions field omitted from token request when capabilities absentpackages/junior/tests/unit/plugins/github-app-broker.test.ts— tests updated for no-capabilities default + capabilities-present casepackages/junior-github/SETUP.md+packages/docs/.../github-plugin.md— Workflows: Write added to installation setup checklistFixes #400
Action taken on behalf of David Cramer.
View Session in Sentry