Open ahal opened 1 month ago
Note that this issue will be valid even after Gecko moves to Github (as long as l10n remains in a separate repo).
The other big place this would be useful is for chain of trust verification. We currently use access tokens for this, but those have a lower rate limit than apps IIRC.
We added the ability to store l10n changes in a separate Github repo for Gecko l10n bumps: https://github.com/mozilla-releng/scriptworker-scripts/commit/3938c24da2c0964a1adc9994c3a8300df65ee0ae
We currently authenticate as the
releng-treescript
app to do things like get the latest commit and return the contents of files. This is useful for avoiding Github rate limits. However, we do not actually commit any changes to these external l10n repos. Therefore usingreleng-treescript
, which has write access to a repo, does not follow the Principle of Least Privilege.Instead, I believe we should create a generic
releng-readonly
(name TBD) app that only has read access to the repos. Then, we can install this app anywhere we simply want read access (e.g for higher rate limits or for access to private repos).