search

mshanemc / deploy-to-sfdx

the power behind hands-on workshops, demo booths, and platform trial
BSD 3-Clause "New" or "Revised" License
88 stars 43 forks source link

deploy-to-sfdx seems to be able to deploy only public repos #65

Closed RupertBarrow closed 4 years ago

RupertBarrow commented 5 years ago

Line 26 in lib/deployMsgBuilder const path = template.replace('https://github.com/', ''); seems to prove that deploy-to-sfdx does not launch private GitHub templates whose path is https://user:pwd@github.com/

Would it be possible to manage authentication with GitHub :

mshanemc commented 5 years ago

you're not the first person to ask.

How are you planning to keep anyone from hitting your instance of the deployer, getting an org, and looking at whatever you were trying to keep private?

RupertBarrow commented 5 years ago

Thanks for your answer, Shane.

For the moment, I am exploring solutions, testing my own hosted version of deploy-to-sfdx.

Requests to deploy will always be internally by people from our company - ditto for our repos, which will be private to the company. So, to answer your question : we will protect access to the Heroku app, as well as put restrictions on the origin of calls to it.

If we had all our repos in the same GitHub account, we could use a GitHub PAToken. Better would be to manage the https://user:pwd@github/user/repo syntax.

What do you think ?

Le 7 sept. 2019 à 00:00, Shane McLaughlin notifications@github.com a écrit :

you're not the first person to ask.

How are you planning to keep anyone from hitting your instance of the deployer, getting an org, and looking at whatever you were trying to keep private?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mshanemc/deploy-to-sfdx/issues/65?email_source=notifications&email_token=ALTAP532IQJNFQPDMSVDAE3QILHJBA5CNFSM4IUM5H7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6EFNFY#issuecomment-529028759, or mute the thread https://github.com/notifications/unsubscribe-auth/ALTAP53BTNFXAFYUFWLBVNLQILHJBANCNFSM4IUM5H7A.

mshanemc commented 5 years ago

I would never want my github credentials bouncing around server logs, browser history, firewalls, google analytics, or other people's apps. And there's also the scenario where you've got 2FA on github (not sure what url-based auth does in that case to complete).

Would definitely recommend using something like this buildpack and storing a token scoped to read-only. https://github.com/timshadel/heroku-buildpack-github-netrc

Then, your deployer would have access to git-clone whatever repos it can based on that token, and it's easy to revoke or whatever from github should it need to be.

As a bonus, you don't have to touch the code on the deployer--just cause a rebuild to happen.

mshanemc commented 4 years ago

Done, via buildpack, so it works on this project OR OTHERS https://github.com/mshanemc/github-via-pat

README says more.