Open hamishforbes opened 6 years ago
@hamishforbes We use github authentication here, so if you do not have that github account's token, you cannot upload under that account's name. This security check is important. The right way is to introduce a github organization account so that all the members of that organization can upload new releases under that organization account.
It seems excessive to be forced to create an organisation just so that 2 people can push releases of a library though, especially when github provides a mechanism for another user to have full write access without an organisation.
Is the check clientside only? It's difficult to tell exactly what happened on the server side, the entry on http://opm.openresty.org/ is under my namespace but the link is to the pintsized repo. Does this mean the package was built from the pintsized repo and just listed on opm as my user?
Given that repos a user has collaborator access to are listed under the github /user/repos API call along with the current user's permissions for that repo, it doesn't seem like a security problem to add a new feature / enhancement to allow collaborators to push to OPM.
At the moment I don't seem to be able to upload a package on a repo which I have push/write access.
Specifically I have push access to https://github.com/pintsized/ledge so I can push a new version to github, tag the release etc. However when I try and upload to opm i get
Looks like this check is clientside only? I commented it out and successfully uploaded the package but it came through on OPM under my namespace, it should be under pintsized still. This may have just been because I had set
is_original=no
locally though?