You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The docs suggest scope can be an organization OR a repository. Can it be multiple repositories?
The GitHub API supports it, but I'm not sure if octo-sts.dev does (cc #24)
I'd like to keep my tokens tightly scoped: if I need access to multiple private repositories (e.g. to fetch some private dependencies), I would prefer to give access to ONLY those repositories.
I don't want to request org-wide access, because I only need 2 specific repos.
I don't want to limit my okto-sts installation to those repos, because I have multiple application repos with unique sets of dependencies I want to access.
When I request multiple repos, I expect the backend to look for a "trust policy" in each.
I also expect the policies in my-org/.github/.github/chainguard/meow.sts.yaml to be respected.
🧠 To really rock my socks - parse my go.mod or package.json and build the minimal private repository list for me automatically. Given a list of orgs, you could do a lot of (fragile) magic.
The text was updated successfully, but these errors were encountered:
- env:
GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}run: | gh repo list
Run gh repo list
szksh-lab/example-octo-sts-2 public 2024-05-05T10:55:58Z
szksh-lab/example-octo-sts public 2024-05-05T10:33:41Z
gh repo list lists only repositories specified by Trust Policy.
The org szksh-lab has other public repositories and the GitHub App Octo STS is installed in szksh-lab/.github too, but these repositories aren't included in the result of gh repo list.
I think this means the scope is limited properly based on Trust Policy.
The docs suggest
scope
can be an organization OR a repository. Can it be multiple repositories?The GitHub API supports it, but I'm not sure if
octo-sts.dev
does (cc #24)I'd like to keep my tokens tightly scoped: if I need access to multiple private repositories (e.g. to fetch some private dependencies), I would prefer to give access to ONLY those repositories.
I don't want to request org-wide access, because I only need 2 specific repos.
I don't want to limit my okto-sts installation to those repos, because I have multiple application repos with unique sets of dependencies I want to access.
When I request multiple repos, I expect the backend to look for a "trust policy" in each.
I also expect the policies in
my-org/.github/.github/chainguard/meow.sts.yaml
to be respected.🧠 To really rock my socks - parse my
go.mod
orpackage.json
and build the minimal private repository list for me automatically. Given a list of orgs, you could do a lot of (fragile) magic.The text was updated successfully, but these errors were encountered: