New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Continuous integration does not use generic user everywhere #659
Comments
Currently the build script uses @szczepiq credentials/token to push things, the script just configures the user.name/user.mail varaible to The script should depend on the bot to perform git/bintray actions, i.e. make the not dependent on any team member credentials. Currently I don't think anyone but @szczepiq have the secrets of the drone user or mockito bintray account or even dns (e.g. #393). |
This should be easy to change, e.g. just change the user token id in the Travis encrypted variables. Anyone can do it. |
Indeed this technical part is easy but we don't have the credentials of |
Actually I just realized that |
Ok, I will sort this out.Szczepan Faber |
The current setup is very open: the generic continuous.delivery.drone@gmail.com is not a GitHub user. It can be any email address. Anyone with commit rights can change the API key in travis file + update reference in release.gradle. So, adding new generic GitHub account that needs to be shared has no value. I'll close this ticket once I document it in the release.gradle |
I don't agree, the credentials of the team have way more reach than simply push rights, the credentials can be used against the github API to change organization settings, etc... |
Good point! |
The release process uses GitHub write token that has tailored permissions and it cannot alter Mockito organization settings. This token can be easily generated by any committer and the release script can be updated. Maintaining and sharing fake GitHub user does not add any value. Thanks for brining this up and a very interesting discussion about repo security and maintainability! Reopen if needed! |
There's of course the binary upload on bintray that require a mockito account (see #631), but there is still some interactions with git that should use the continuous delivery drone generic user.
See https://github.com/mockito/mockito/blob/master/gradle/release.gradle#L117, credentials are one of these : https://github.com/mockito/mockito/blob/master/.travis.yml#L35-L37
The text was updated successfully, but these errors were encountered: