[tahoe-lafs-trac-stream] [tahoe-lafs] #2072: decide whether to enable Travis-CI for the main Tahoe-LAFS repo
tahoe-lafs
trac at tahoe-lafs.org
Wed Oct 2 00:47:18 UTC 2013
#2072: decide whether to enable Travis-CI for the main Tahoe-LAFS repo
-------------------------+-------------------------------------------------
Reporter: daira | Owner: warner
Type: defect | Status: new
Priority: normal | Milestone: undecided
Component: dev- | Version: 1.10.0
infrastructure | Keywords: security travis github brians-
Resolution: | opinion-needed
Launchpad Bug: |
-------------------------+-------------------------------------------------
Comment (by warner):
FYI, I've set up travis on some of my own projects with somewhat limited
authority. To sign into travis at all, you have to grant it an awful lot
of power (the basic OAuth request includes write access to your
repositories). But there is an incantation you can speak to Github's API
to reduce the scope of the travis-ci oauth token to do less. Before or
after you attenuate the token like that, you can go to the travis account
page and copy down the travis token. Then you can paste this token into
the "travis-ci" service hook on one of your repositories.
Activating the hook with that token will, I believe, cause travis to start
building things when you push a new change.
The incantation to attenuate the oauth token is (fill in USER and ID):
{{{
curl -u USER https://api.github.com/authorizations
# note the "id" number for the Travis app. Ignore the Gist app.
curl -X PATCH -d'{"remove_scopes": ["public_repo"]}' -u USER
https://api.github.com/authorizations/ID
curl -X PATCH -d'{"add_scopes": ["repo:status"]}' -u USER
https://api.github.com/authorizations/ID
}}}
`curl` will ask for your github password with each request (it uses HTTP
basic auth, over SSL).
One problem with this scheme is that, eventually (I'm not sure exactly
when), your travis session will expire, and if you re-"sign in with
github", it will replace the attenuated oauth token with a full-power one,
and you'll have to do this dance again.
And of course, this attenuation removes travis's ability to automatically
configure your repo's hooks for you. I don't think that's a problem:
pasting the travis token into the webhook configuration seems to be enough
to trigger builds.
And there's still the window of time (after sign-in, before the PATCH api
call) during which travis gets full access to your repos.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2072#comment:13>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list