Update collaborators#92
Conversation
jeffkaufman
left a comment
jeffkaufman
left a comment
There was a problem hiding this comment.
I like this, though it shouldn't be in bounds.
It's ok to run it and test it. When it's working we can add it?
Note that everything you're doing here you can do running the script locally.
| util.request_put('%s/%s' % (_collaborators_url(repo), user)) | ||
|
|
||
| def _collaborators_url(repo): | ||
| return 'https://www.jefftk.com/nomic-github/repos/%s/collaborators' % repo |
There was a problem hiding this comment.
hmm, I should have a whitelist of what kind of requests to proxy
There was a problem hiding this comment.
I assume this won't actually work until you set that up? Or is the issue that you're currently letting anything through?
There was a problem hiding this comment.
Before 528a406 it was letting through everything under https://api.github.com/repos/jeffkaufman/nomic but now it's restricted to https://api.github.com/repos/jeffkaufman/nomic/pulls Still, this would allow someone to PUT to https://api.github.com/repos/jeffkaufman/nomic/pulls/N/merge and since I'm an admin I think they might be able to merge without Travis passing. So in 83f90b7 I limited it to only GET requests.
If we decide to poke a hole through for collaborators we can, but we should be careful about it. For example, I don't know what would happen if you removed me!
There was a problem hiding this comment.
I'm guessing it would fail, though I'm not inclined to test it. We could have it skip over you, or whoever is the repo owner. That doesn't address the broader proxy issue, though, just the code in this PR.
There was a problem hiding this comment.
Right, but since anyone can poke the proxy we need the proxy to do validation.
There was a problem hiding this comment.
The easiest thing to do might be to stand up your own nginx? Then I don't have to figure out how to do the validation...
There was a problem hiding this comment.
Maybe I'm misunderstanding something, but how would that give me permissions? I don't have your GitHub credentials to use. Are you saying that I could hit the proxy without you needing to update the whitelist?
There was a problem hiding this comment.
The idea is you'd use your own github credentials and play around with the tnelling/nomic repo. But I'm not sure there's a good way to open this up? Letting anyone add/remove collaborators doesn't seem great, and that's what the proxy would have to do.
There was a problem hiding this comment.
Ah, of course. Might generate some annoying email traffic, but would work otherwise.
Could the proxy only let traffic through to collaborators from Travis (travis-ci.com/jeffkaufman/nomic, even)? And could we consider requests to collaborators to be out-of-bounds?
There was a problem hiding this comment.
If there was a way to restrict it to only builds run on master, I'd suggest that, but I can't see how the proxy could possibly tell the difference.
|
Overall I'm not sure this is worth it: it's just not that hard to handle manually. |
|
I think this is more valuable as a long-term thing, to get the baseline repo closer to something that anyone could fork and start their own game without needing to know how to do as much administration as you've been doing. Granted, right now there's hard-coded jefftk stuff all over the place (not just in this PR). |
Most of the work is setting up the proxy and travis. When we're done (or if someone asks) I'm happy to work on getting that better documented. Those are harder to automate (or, automate beyond how much they're already automated). |
2 participants
This is completely untested, and doesn't include any hooks to call the update.