Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kC16c-0004H7-Ut for pljava-dev@arkaria.postgresql.org; Sat, 29 Aug 2020 13:41:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kC16Z-0004zH-HP for pljava-dev@arkaria.postgresql.org; Sat, 29 Aug 2020 13:41:15 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kC16Z-0004zA-3K for pljava-dev@lists.postgresql.org; Sat, 29 Aug 2020 13:41:15 +0000 Received: from mail-ej1-x634.google.com ([2a00:1450:4864:20::634]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kC16U-0004QI-RI for pljava-dev@lists.postgresql.org; Sat, 29 Aug 2020 13:41:13 +0000 Received: by mail-ej1-x634.google.com with SMTP id a26so2792482ejc.2 for ; Sat, 29 Aug 2020 06:41:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WRTdGGuUJOYDlLHC7jzCRtoqND9j0n0iEZxNVxFEkuU=; b=MSe41Kl1lUZkxPsWq6Hvw1b725MY+3YOuhFJboCiMzVSQ3fVhYinPu3TtV/dw96znH sT04VbF1Ar/G4xlD/BBjKD7MDKaS+D49xU/fPVS3KDCEdy/jC/OWJQE1uKdBhbfU6Gfi Ey2tQ3mLLMgLgjSCjd6F4wq2284gwJlbeHfQf8WRkGNaD0DK9Ye31ndnVL8gUYbwfWiO yH9LLES4NJvwEMJHRa16YOIAC8gDhSyrdM3LZp/msMiVKHbumEUBD5HQYZinVW5JI3iT +9ggwOcNopMhnoYqFQs1J96wHXr60wQOo3UIvLbPUA4yDsvaOyffF40eKvflwb6+MaE4 zFNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WRTdGGuUJOYDlLHC7jzCRtoqND9j0n0iEZxNVxFEkuU=; b=EWpWiVlibUy/QHCRmA1FtCkzTas1dLSdD54QLICAaF8VaCC2wcn+d4hm6JTBUEn3Q3 L8YaZ1deB36IT54drjqLm5sqnEithPpyAKjSDqRFWdHX4vkVyCwqkk0LIHjOMAliFa8e y2Uu6UCPlIsb63b5jOPSzo+PYvYE379xi1y5WvUESeq7BDsFZJJejhlTVrkaMatPZ+eg ZDXQ72/FDXzfxjbwm/4gcGP3YMSzGHGNyHPQlMQGf/FikS0tCxNZpTjCIlZm+wnYW1zG 9l4f4K6uCGpzxa+flqw1uUoudvPkJPpu8O7yW94HCP0fL2ZDwKVqMIyQwSC7OnGG02cs BWcw== X-Gm-Message-State: AOAM530/DU9LqytsqhucuAryFB1JvVP5TJ/5zwbFNyTXd+mW+2IB1lW5 0H4tDUziPlp2sO2yjEox+aTbPWZ/9MKJS8frxhw= X-Google-Smtp-Source: ABdhPJxoUiEb5EzvHwNWQA+LTPTRj/ms63fGw93NZXGrJqobOigq4LoQO8fzdHhWwyjwManxK4ecLPNGkhy30Zd88VE= X-Received: by 2002:a17:906:2296:: with SMTP id p22mr3520240eja.510.1598708468702; Sat, 29 Aug 2020 06:41:08 -0700 (PDT) MIME-Version: 1.0 References: <5EC17E17.7070002@anastigmatix.net> <5ED4EA10.4030801@anastigmatix.net> <5ED7E74B.9020800@anastigmatix.net> <5EDA576E.2000204@anastigmatix.net> <5EDBA5D9.8090506@anastigmatix.net> <5EE7AE8C.2040201@anastigmatix.net> <5EEA6F85.9040009@anastigmatix.net> <5F063C86.3070301@anastigmatix.net> <5F47EB62.2060306@anastigmatix.net> <5F4816A0.8020208@anastigmatix.net> <5F4A53C3.1040102@anastigmatix.net> In-Reply-To: From: Kartik Ohri Date: Sat, 29 Aug 2020 19:10:56 +0530 Message-ID: Subject: Re: Travis and AppVeyor continuous integration [Re: feature/master/ci] To: Chapman Flack Cc: thomas@tada.se, pljava-dev@lists.postgresql.org Content-Type: multipart/alternative; boundary="0000000000006062ab05ae045280" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --0000000000006062ab05ae045280 Content-Type: text/plain; charset="UTF-8" On Sat, Aug 29, 2020 at 7:04 PM Kartik Ohri wrote: > On Sat, Aug 29, 2020 at 6:40 PM Chapman Flack > wrote: > >> On 08/29/20 04:35, Kartik Ohri wrote: >> > Hi! >> > On Sat, Aug 29, 2020 at 12:55 PM Thomas Hallgren >> wrote: >> >> I'm somewhat reluctant to TravisCI due to its requirement for write >> >> permissions to *all* my repositories and associated data. Why would >> anyone >> >> grant an external CI service such permissions just to handle CI of >> *one* of >> >> my repositories, and why don't they offer a read-only alternative? >> >> >> > >> > Travis recommends all repositories access but that can be easily >> restricted >> > to a single repository. Once, the application has been authorized. >> Github >> > will ask whether to install in a single repository or all. >> > >> > Also, I checked which permissions the Travis app installed on my repo >> has. >> > The current Travis App has the write access to checks, commit statuses, >> > deployments, and repository hooks. The first three make sense but I am >> not >> > sure about the role of repository hooks. For what it's worth, AppVeyor >> > requires write access to only checks, commit statuses. >> >> I will admit to a bit of a shock yesterday when, out of curiosity, I went >> to https://travis-ci.com/plans and clicked "SET UP YOUR OPEN SOURCE >> PROJECT >> NOW" and was immediately faced with a GitHub "Authorize Travis CI" dialog >> requesting: >> >> ===== >> Organizations and teams >> Read-only access >> >> This application will be able to read your organization, team membership, >> and private project boards. >> >> >> Repositories >> Public and private >> >> This application will be able to read and write all public and private >> repository data. This includes the following: >> >> Code >> Issues >> Pull requests >> Wikis >> Settings >> Webhooks and services >> Deploy keys >> Collaboration invites >> >> >> Personal user data >> Email addresses (read-only) >> >> This application will be able to read your private email addresses. >> ===== >> >> The "Cancel" button is still smoking from how hard I hit it. >> >> But I think that must have been their older, pre-GitHub-App, signup >> process. I am not sure why they still have a working link that goes there. >> >> > Yes, this is indeed the case. I created a new account and followed the > same procedure as Chap and got the permissions as he mentioned. However, > when I tried to install Travis through the marketplace I got the > permissions as I mentioned in the mail earlier today. > > >> Thomas, if their current permission requests, when configured as a >> GitHub App, are as Kartik describes, and can be limited to the PL/Java >> repo only, would that answer your concerns (even if not perfectly, >> perhaps acceptably)? >> >> It seems to me also that such concerns can have a "duration" dimension: >> if even their more limited, app-based, permissions are not entirely >> satisfactory, perhaps they would be tolerable for a limited period >> (a calendar quarter, perhaps) to immediately reap the benefits of >> Kartik's work while affording time to explore migrating the scripts >> to Github Actions without a rush? >> >> As I mentioned earlier, I suspect the migration would be fairly >> straightforward. Kartik's GSoC-sponsored period concludes this weekend, >> however. and migrating it all to GitHub Actions is probably not quite >> *that* straightforward. >> >> Regards, >> -Chap >> > To investigate further, I tried it with AppVeyor as well. And I got a lot more permissions requests than from the marketplace. The footer that mentioned it was using OAuth. So, it seems that both Travis and AppVeyor have a Github and OAuth app. The Github apps require less permissions than the OAuth ones. To install an app as Github App, install it using the Github marketplace. Regards, Kartik --0000000000006062ab05ae045280 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sat, Aug 29, 2020 at 7:04 PM Kartik Oh= ri <kartikohri13@gmail.com= > wrote:
On Sat, Aug 29, 20= 20 at 6:40 PM Chapman Flack <chap@anastigmatix.net> wrote:
On 08/29/20 04:35, Kartik Ohri wrote:
> Hi!
> On Sat, Aug 29, 2020 at 12:55 PM Thomas Hallgren <thomas@tada.se> wrote:
>> I'm somewhat reluctant to TravisCI due to its requirement for = write
>> permissions to *all* my repositories and associated data. Why woul= d anyone
>> grant an external CI service such permissions just to handle CI of= *one* of
>> my repositories, and why don't they offer a read-only alternat= ive?
>>
>
> Travis recommends all repositories access but that can be easily restr= icted
> to a single repository. Once, the application has been authorized. Git= hub
> will ask whether to install in a single repository or all.
>
> Also, I checked which permissions the Travis app installed on my repo = has.
> The current Travis App has the write access to checks, commit statuses= ,
> deployments, and repository hooks. The first three make sense but I am= not
> sure about the role of repository hooks. For what it's worth, AppV= eyor
> requires write access to only checks, commit statuses.

I will admit to a bit of a shock yesterday when, out of curiosity, I went to https://travis-ci.com/plans and clicked "SET UP YOUR OPEN SOU= RCE PROJECT
NOW" and was immediately faced with a GitHub "Authorize Travis CI= " dialog
requesting:

=3D=3D=3D=3D=3D
Organizations and teams
Read-only access

This application will be able to read your organization, team membership, and private project boards.


Repositories
Public and private

This application will be able to read and write all public and private
repository data. This includes the following:

=C2=A0 =C2=A0 Code
=C2=A0 =C2=A0 Issues
=C2=A0 =C2=A0 Pull requests
=C2=A0 =C2=A0 Wikis
=C2=A0 =C2=A0 Settings
=C2=A0 =C2=A0 Webhooks and services
=C2=A0 =C2=A0 Deploy keys
=C2=A0 =C2=A0 Collaboration invites


Personal user data
Email addresses (read-only)

This application will be able to read your private email addresses.
=3D=3D=3D=3D=3D

The "Cancel" button is still smoking from how hard I hit it.

But I think that must have been their older, pre-GitHub-App, signup
process. I am not sure why they still have a working link that goes there.<= br>

Yes, this is indeed the case. I create= d a new account and followed the same procedure as Chap and got the permiss= ions as he mentioned. However, when I tried to install Travis through the m= arketplace I got the permissions as I mentioned in the mail earlier today.<= /div>


Thomas, if their current permission requests, when configured as a
GitHub App, are as Kartik describes, and can be limited to the PL/Java
repo only, would that answer your concerns (even if not perfectly,
perhaps acceptably)?

It seems to me also that such concerns can have a "duration" dime= nsion:
if even their more limited, app-based, permissions are not entirely
satisfactory, perhaps they would be tolerable for a limited period
(a calendar quarter, perhaps) to immediately reap the benefits of
Kartik's work while affording time to explore migrating the scripts
to Github Actions without a rush?

As I mentioned earlier, I suspect the migration would be fairly
straightforward. Kartik's GSoC-sponsored period concludes this weekend,=
however. and migrating it all to GitHub Actions is probably not quite
*that* straightforward.

Regards,
-Chap

To= investigate further, I tried it with AppVeyor as well. And I got a lot mor= e permissions requests than from the marketplace. The footer that mentioned= it was using OAuth. So, it seems that both Travis and AppVeyor have a Gith= ub and OAuth app. The Github apps require less permissions than the OAuth o= nes. To install an app as Github App, install it using the Github marketpla= ce.

Regards,
Kartik
--0000000000006062ab05ae045280--