Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Continuous integration does not use generic user everywhere #659

Closed
bric3 opened this issue Sep 29, 2016 · 9 comments
Closed

Continuous integration does not use generic user everywhere #659

bric3 opened this issue Sep 29, 2016 · 9 comments
Labels
continuous integration

Comments

@bric3
Copy link
Contributor

bric3 commented Sep 29, 2016

There's of course the binary upload on bintray that require a mockito account (see #631), but there is still some interactions with git that should use the continuous delivery drone generic user.

See https://github.com/mockito/mockito/blob/master/gradle/release.gradle#L117, credentials are one of these : https://github.com/mockito/mockito/blob/master/.travis.yml#L35-L37
@bric3
Copy link
Contributor Author

bric3 commented Sep 29, 2016
edited

Currently the build script uses @szczepiq credentials/token to push things, the script just configures the user.name/user.mail varaible to continuous.delivery.drone@gmail.com.

The script should depend on the bot to perform git/bintray actions, i.e. make the not dependent on any team member credentials. Currently I don't think anyone but @szczepiq have the secrets of the drone user or mockito bintray account or even dns (e.g. #393).

@mockitoguy
Copy link
Member

This should be easy to change, e.g. just change the user token id in the Travis encrypted variables. Anyone can do it.

@bric3
Copy link
Contributor Author

bric3 commented Sep 29, 2016
edited

Indeed this technical part is easy but we don't have the credentials of continuous.delivery.drone@gmail.com

@bric3
Copy link
Contributor Author

bric3 commented Sep 29, 2016

Actually I just realized that continuous.delivery.drone@gmail.com has no github account

@mockitoguy
Copy link
Member

Ok, I will sort this out.

Szczepan Faber
Founder @ mockito.org | Twitter @ szczepiq
Author @ https://www.linkedin.com/today/author/6016386

@mockitoguy
Copy link
Member

The current setup is very open: the generic continuous.delivery.drone@gmail.com is not a GitHub user. It can be any email address. Anyone with commit rights can change the API key in travis file + update reference in release.gradle. So, adding new generic GitHub account that needs to be shared has no value.

I'll close this ticket once I document it in the release.gradle

@bric3
Copy link
Contributor Author

bric3 commented Oct 26, 2016

I don't agree, the credentials of the team have way more reach than simply push rights, the credentials can be used against the github API to change organization settings, etc...
While having a bot account allows to narrow down the scope of what this account can do.

@mockitoguy
Copy link
Member

Good point!

@mockitoguy
Copy link
Member

The release process uses GitHub write token that has tailored permissions and it cannot alter Mockito organization settings. This token can be easily generated by any committer and the release script can be updated. Maintaining and sharing fake GitHub user does not add any value.

Thanks for brining this up and a very interesting discussion about repo security and maintainability!

Reopen if needed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
continuous integration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mockitoguy @bric3