I checked the following link and there's only scopes for full access of repos. Is there any way I can restrict access to read only?
https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps
Turns out if no repo-related scope is provided on creating the token, you will be able to read public repo.
Looks like there is no way to only read public AND private repo at this moment.
Related
I'm building an OAuth app to work with Github. I need to know, via token scopes, whether an authenticated user has access to a repo (public or private) so that I can restrict access accordingly in my app.
I explicitly do not want access to repo code from my app because a) I want users and companies to have confidence to use it with private repos and b) the app doesn't need to know, so I'd like to keep it least-privilege.
I'm struggling to find an OAuth scope that will allow the app to query whether a user has access to a specific repo without also needing to ask my users to grant the app permission to access their code.
The nearest I've found is repo:status. However that requires me to guess a branch name, which is usually main or master, but there's no guarantee.
Is there a better way?
I used a personal access token (PAT) to clone a private github repo to a shared hosting service and the pull was successful.
But looking through the setup, I saw the PAT in plan text as part of the clone url stored to the settings.
Is there any risk to doing this?
While using a paid account on github, we currently have a private repository which is forked only by contributors that work within the same network.
What is the best way to ensure that the code remains private? In other words, how can the organization restrict reading/cloning/downloading of the repository (or its forks) by a computer off network?
Thank you in advance for your help!
If you're using a version hosted on github.com, then there's no technical way to restrict access to that private repository based on the network from which the connection comes. If you need that functionality, you'll need to self-host with GitHub Enterprise Server, which is the on-premises version. You can then limit access to that server to only people on your network.
You could also enable SAML single sign-on and only allow access to GitHub if the SAML authentication comes from your network. However, do be aware that once a user has logged in, the SAML session is cached, so a user could log in while on your network and then take their laptop somewhere else and still access things. That also wouldn't prevent actually cloning a repository with a token or a key, however.
If your goal is solely to ensure that the code remains private and you generally trust your employees, you could try techniques like requiring 2FA for all employees, which makes it harder for people to compromise accounts.
I'm trying to add an private repository in Toran Proxy. However, it ends up with an authentication failure. How to setup the authentication for toran proxy?
Any help would be nice.
Thx.
It should ask you for authentication credentials for github and/or bitbucket according to your private packages locations, but anyway you can manually modify auth credentials by editing the following file app/toran/composer/auth.json
In my GitHub account I have a few public repositories that I created plus several private repositories forked from repositories in my organization.
My problems are
a) GET /user/repos is only listing the public personally created repositories regardless of the 'type' parameter
b) COMPARE calls on the forked repositories is returning 404
I'm logging in using Oauth 2.
Is there something that I am missing?
Thanks
If I understand correctly, the situation you're describing is as follows:
You belong to an organization. (Let's call it "#your-organization".)
#your-organization has at least one private repository. (Let's call it "your-organization/private-repo".)
You have a fork of that repository in your personal account (e.g., gulliver-smith/private-repo).
You're using an OAuth token to authenticate with the GitHub API.
When you access GET /user/repos, the response does not include your fork (e.g., gulliver-smith/private-repo).
When you access GET /repos/gulliver-smith/private-repo/compare/:base...:head, you get a 404.
If that's right, there are a few things you'll want to verify:
Ensure that your OAuth token has repo scope. If your token does not have repo scope, you'll observe the behavior described above. To verify the scopes associated with your token, look at the X-OAuth-Scopes response header.
$ curl -I https://api.github.com/ -H "Authorization: token REDACTED" | grep ^X-OAuth-Scopes
X-OAuth-Scopes: admin:org, admin:public_key, delete_repo, gist, notifications, repo, user
If you're using a token that belongs to an OAuth application, the organization may have third-party application restrictions enabled. If so, you can ask the organization's administrators to approve the OAuth application so that the app can access the organization's repositories on your behalf.