public inbox for [email protected]  
help / color / mirror / Atom feed
From: Kartik Ohri <[email protected]>
To: Chapman Flack <[email protected]>
Cc: [email protected]
Cc: [email protected]
Subject: Re: Travis and AppVeyor continuous integration [Re: feature/master/ci]
Date: Sat, 29 Aug 2020 19:10:56 +0530
Message-ID: <CAASLQ4PiOYPvcfhdh3iapYXDLFvPzQ4MtDok0f8BJ3Nb_k+fAg@mail.gmail.com> (raw)
In-Reply-To: <CAASLQ4NnVfjXWehE_cOMDSUbv6_7Bq1FsfibH_X__zayx3Gbug@mail.gmail.com>
References: <[email protected]>
	<[email protected]>
	<CAASLQ4Px21jyb2vJYSrjF5P0RqhA-G_DDWR9QHG68r+W+AqbxQ@mail.gmail.com>
	<CAASLQ4NYE-TW6hjbkSOuAY2Z4NM2cYzqSQ9ahO2LAUhdP9axeQ@mail.gmail.com>
	<[email protected]>
	<CAASLQ4Od6-0=3+4ENKh1Z-Wcu5Wir-bwUn_ccO2UCmDhoR4vtQ@mail.gmail.com>
	<[email protected]>
	<CAASLQ4OzPwZB6GG_cXNW4WU4zpHa6wm8Q3WRWNv5pZpis+gf3w@mail.gmail.com>
	<[email protected]>
	<CAASLQ4P8e9XfUh17HFhYE4eMtq5-C4dpHQAX+hCsia-UFNAjtA@mail.gmail.com>
	<[email protected]>
	<CAASLQ4PoMTiTZUPxTR7VS8LLo9tosAMu-89T5ikWub7VbM+r4Q@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<CAASLQ4N6_=u6nbi+0tD8SSCSO0oPjGLMib7n2c2u5=rSKE+MNw@mail.gmail.com>
	<[email protected]>
	<CAO5TtCuTyvyUDkY4iNGr-zUYJe6gy9+RmmO7Dm6QiNzL2p8WLA@mail.gmail.com>
	<CAASLQ4NyFGd8J3iUpA3sCnkQ=4JccDjcHC=xrCemq9L4AdK+HQ@mail.gmail.com>
	<[email protected]>
	<CAASLQ4NnVfjXWehE_cOMDSUbv6_7Bq1FsfibH_X__zayx3Gbug@mail.gmail.com>

On Sat, Aug 29, 2020 at 7:04 PM Kartik Ohri <[email protected]> wrote:

> On Sat, Aug 29, 2020 at 6:40 PM Chapman Flack <[email protected]>
> wrote:
>
>> On 08/29/20 04:35, Kartik Ohri wrote:
>> > Hi!
>> > On Sat, Aug 29, 2020 at 12:55 PM Thomas Hallgren <[email protected]>
>> wrote:
>> >> I'm somewhat reluctant to TravisCI due to its requirement for write
>> >> permissions to *all* my repositories and associated data. Why would
>> anyone
>> >> grant an external CI service such permissions just to handle CI of
>> *one* of
>> >> my repositories, and why don't they offer a read-only alternative?
>> >>
>> >
>> > Travis recommends all repositories access but that can be easily
>> restricted
>> > to a single repository. Once, the application has been authorized.
>> Github
>> > will ask whether to install in a single repository or all.
>> >
>> > Also, I checked which permissions the Travis app installed on my repo
>> has.
>> > The current Travis App has the write access to checks, commit statuses,
>> > deployments, and repository hooks. The first three make sense but I am
>> not
>> > sure about the role of repository hooks. For what it's worth, AppVeyor
>> > requires write access to only checks, commit statuses.
>>
>> I will admit to a bit of a shock yesterday when, out of curiosity, I went
>> to https://travis-ci.com/plans and clicked "SET UP YOUR OPEN SOURCE
>> PROJECT
>> NOW" and was immediately faced with a GitHub "Authorize Travis CI" dialog
>> requesting:
>>
>> =====
>> Organizations and teams
>> Read-only access
>>
>> This application will be able to read your organization, team membership,
>> and private project boards.
>>
>>
>> Repositories
>> Public and private
>>
>> This application will be able to read and write all public and private
>> repository data. This includes the following:
>>
>>     Code
>>     Issues
>>     Pull requests
>>     Wikis
>>     Settings
>>     Webhooks and services
>>     Deploy keys
>>     Collaboration invites
>>
>>
>> Personal user data
>> Email addresses (read-only)
>>
>> This application will be able to read your private email addresses.
>> =====
>>
>> The "Cancel" button is still smoking from how hard I hit it.
>>
>> But I think that must have been their older, pre-GitHub-App, signup
>> process. I am not sure why they still have a working link that goes there.
>>
>>
> Yes, this is indeed the case. I created a new account and followed the
> same procedure as Chap and got the permissions as he mentioned. However,
> when I tried to install Travis through the marketplace I got the
> permissions as I mentioned in the mail earlier today.
>
>
>> Thomas, if their current permission requests, when configured as a
>> GitHub App, are as Kartik describes, and can be limited to the PL/Java
>> repo only, would that answer your concerns (even if not perfectly,
>> perhaps acceptably)?
>>
>> It seems to me also that such concerns can have a "duration" dimension:
>> if even their more limited, app-based, permissions are not entirely
>> satisfactory, perhaps they would be tolerable for a limited period
>> (a calendar quarter, perhaps) to immediately reap the benefits of
>> Kartik's work while affording time to explore migrating the scripts
>> to Github Actions without a rush?
>>
>> As I mentioned earlier, I suspect the migration would be fairly
>> straightforward. Kartik's GSoC-sponsored period concludes this weekend,
>> however. and migrating it all to GitHub Actions is probably not quite
>> *that* straightforward.
>>
>> Regards,
>> -Chap
>>
>
To investigate further, I tried it with AppVeyor as well. And I got a lot
more permissions requests than from the marketplace. The footer that
mentioned it was using OAuth. So, it seems that both Travis and AppVeyor
have a Github and OAuth app. The Github apps require less permissions than
the OAuth ones. To install an app as Github App, install it using the
Github marketplace.

Regards,
Kartik


view thread (15+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Travis and AppVeyor continuous integration [Re: feature/master/ci]
  In-Reply-To: <CAASLQ4PiOYPvcfhdh3iapYXDLFvPzQ4MtDok0f8BJ3Nb_k+fAg@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox