tighten vercel integration token handling
- reduce Vercel token scopes to the minimum required so a compromised token has the smallest possible blast radius
- verified from repo code: the internal Sentry app created for the Vercel integration currently requests
project:releases, project:read, and project:write in src/sentry/integrations/vercel/integration.py (SentryAppCreator(... scopes=["project:releases", "project:read", "project:write"]) in post_install)
- verified from repo code: i do not see
project:admin in that Vercel internal app scope list, so project:admin does not appear to be currently granted there
- current ask from product side: target
project:write + project:read + project:releases, and determine what remaining concerns are not already satisfied by org:ci
- explicitly evaluate whether
project:write is actually required or can be dropped after endpoint-by-endpoint verification; if removable, prefer the smaller set
- specifically map which Sentry API calls this flow makes for release creation/configuration and note which of those accept
org:ci versus still requiring project scopes
- store the auth token as a sensitive value instead of a regular config value
- explicit mention: if needed, provision multiple tokens for preview and dev envs rather than sharing one token across all environments
- verified from Vercel docs: integrations can be restricted to selected projects via Manage -> Access -> Manage Access, which helps narrow blast radius even when project permissions are needed: https://vercel.com/docs/integrations/install-an-integration/manage-integrations-reference
- verified from Vercel docs + repo code: this integration reads projects and writes integration-owned env vars in Vercel (
get_projects, get_project, get_env_vars, create_env_variable, update_env_variable in src/sentry/integrations/vercel/client.py), so document the minimal Vercel-side permissions/access needed as part of the implementation
- repo references for verification:
src/sentry/integrations/vercel/integration.pysrc/sentry/integrations/vercel/client.pysrc/sentry/api/bases/organization.py and src/sentry/api/bases/project.py for org:ci / project scope handling
Action taken on behalf of David Cramer.
tighten vercel integration token handling
project:releases,project:read, andproject:writeinsrc/sentry/integrations/vercel/integration.py(SentryAppCreator(... scopes=["project:releases", "project:read", "project:write"])inpost_install)project:adminin that Vercel internal app scope list, soproject:admindoes not appear to be currently granted thereproject:write+project:read+project:releases, and determine what remaining concerns are not already satisfied byorg:ciproject:writeis actually required or can be dropped after endpoint-by-endpoint verification; if removable, prefer the smaller setorg:civersus still requiring project scopesget_projects,get_project,get_env_vars,create_env_variable,update_env_variableinsrc/sentry/integrations/vercel/client.py), so document the minimal Vercel-side permissions/access needed as part of the implementationsrc/sentry/integrations/vercel/integration.pysrc/sentry/integrations/vercel/client.pysrc/sentry/api/bases/organization.pyandsrc/sentry/api/bases/project.pyfororg:ci/ project scope handlingAction taken on behalf of David Cramer.