Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is scope single or multi? #25

Closed
thepwagner opened this issue Apr 13, 2024 · 1 comment
Closed

is scope single or multi? #25

thepwagner opened this issue Apr 13, 2024 · 1 comment

Comments

@thepwagner
Copy link

The docs suggest scope can be an organization OR a repository. Can it be multiple repositories?
The GitHub API supports it, but I'm not sure if octo-sts.dev does (cc #24)

I'd like to keep my tokens tightly scoped: if I need access to multiple private repositories (e.g. to fetch some private dependencies), I would prefer to give access to ONLY those repositories.
I don't want to request org-wide access, because I only need 2 specific repos.
I don't want to limit my okto-sts installation to those repos, because I have multiple application repos with unique sets of dependencies I want to access.

When I request multiple repos, I expect the backend to look for a "trust policy" in each.
I also expect the policies in my-org/.github/.github/chainguard/meow.sts.yaml to be respected.

🧠 To really rock my socks - parse my go.mod or package.json and build the minimal private repository list for me automatically. Given a list of orgs, you could do a lot of (fragile) magic.
@suzuki-shunsuke
Copy link

suzuki-shunsuke commented May 5, 2024
edited

You can add Trust Policy at the repository .github and set repositories, and specify the GitHub owner name to scope.

e.g.

https://github.com/szksh-lab/.github/blob/f89528a1324e10fb8812151a0ebe28491f312763/.github/chainguard/pull_request.sts.yaml#L3-L5

szksh-lab/.github/.github/chainguard/pull_request.sts.yaml

repositories:
  - example-octo-sts
  - example-octo-sts-2

https://github.com/szksh-lab/example-octo-sts-2/actions/runs/8957707636/workflow?pr=1#L13

workflow

      - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
        id: octo-sts
        with:
          scope: szksh-lab # GitHub Org name
          identity: pull_request

https://github.com/szksh-lab/example-octo-sts-2/actions/runs/8957707636/job/24601206424

      - env:
          GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
        run: |
          gh repo list
Run gh repo list
szksh-lab/example-octo-sts-2		public	2024-05-05T10:55:58Z
szksh-lab/example-octo-sts		public	2024-05-05T10:33:41Z

gh repo list lists only repositories specified by Trust Policy.
The org szksh-lab has other public repositories and the GitHub App Octo STS is installed in szksh-lab/.github too, but these repositories aren't included in the result of gh repo list.
I think this means the scope is limited properly based on Trust Policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thepwagner @suzuki-shunsuke