[tahoe-lafs-trac-stream] [Tahoe-LAFS] #4098: CircleCI is Broken
Tahoe-LAFS
trac at tahoe-lafs.org
Wed Nov 13 10:43:12 UTC 2024
#4098: CircleCI is Broken
-------------------------+-----------------------
Reporter: meejah | Owner:
Type: task | Status: new
Priority: normal | Milestone: undecided
Component: unknown | Version: n/a
Resolution: | Keywords:
Launchpad Bug: |
-------------------------+-----------------------
Comment (by btlogy):
Replying to [comment:18 meejah]:
> > It sounds like it might be much easier for someone with GitHub org
admin right to install that darned "CircleCI GitHub App" before we go
through the more involved steps?
>
> As I've said many times, I am not going to give CircleCI write access to
everything I've got on public and private GitHub repositories, so this
seems to be a non-starter unfortunately.
I agree with you meejah, CircleCI is asking way too much by default.
Though, we've found an a way to allow access only to public repositories.
Only a small improvement and it's a shame they do not propose this one by
default!
[[Image(CircleCI_Sigin_Public.png)]]
In any case, the requested permissions may still be too much for you:
[[Image(CircleCI_Public-Perms.png)]]
So, the alternative could be to:
1. create a dedicated GitHub user like `circleci-tahoe` (similar to the
existing [https://github.com/orgs/tahoe-lafs/teams/tahoe-robots tahoe-
robots]) or re-use the `meejahcircleci`,
2. give it, at least temporarily, the admin role of the tahoe-lafs project
(not the whole Tahoe-LAFS org.),
3. use it to sign-in on CircleCI by granting the required access (only one
public repository anyway),
4. remove the existing ssh key from the project settings or add and remove
a dummy one,
5. demote this user from admin role to simple member or just delete it if
no longer needed
The last resort option could be to force CircleCI to checkout the code via
HTTPS instead of SSH regardless of the presence of an SSH key in the
project settings:
[https://github.com/tahoe-lafs/tahoe-lafs/pull/1384 Implement custom
checkout to avoid CircleCI using any SSH key #1384] WiP
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/4098#comment:19>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list