GitHub App: remove token after cloning #12202
Labels
Needed: documentation
Documentation is required
Comments
|
We discussed about maybe just documenting this for now and opened an issue to eventually obfuscate them from build output logs https://github.com/readthedocs/readthedocs-corporate/issues/2004 |
humitos
added
Needed: documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What's the problem this feature will solve?
When cloning a private repository, we generate a token with read-only access, with the "contents" permission (https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents). But GH by default also grants "Metadata" access (https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-metadata).
Having metadata access, gives the token access to things like querying the events of the repository, collaborators, comments done in a commit, and more, which feels leaky.
Describe the solution you'd like
Maybe remove the token after doing the clone. But this will mean users can't interact with the repository in the "post_checkout" step. We have several examples that rely on having access to the repository in that step (like unshallowing the repo).
Alternative solutions
Just document that behavior, and warn users that if they have a private repo, they should be aware of this and don't show the token on the build if they have a public version, and that anyone who can open a PR on the repository may be able to leak the token.
Additional context
#12115
The text was updated successfully, but these errors were encountered: