asottile
commented
1 year ago that's the oauth login which we discard the token for immediately -- github doesn't give us a way to turn it off but if you don't log in you don't need it
Closed rht closed 1 year ago
asottile
commented
1 year ago that's the oauth login which we discard the token for immediately -- github doesn't give us a way to turn it off but if you don't log in you don't need it
rht
commented
1 year ago But I'm logged in to GH all the time. How am I sure that the token is discarded immediately?
asottile
commented
1 year ago that's different -- so github apps are two components: (1) the app install and (2) the oauth login
the former is what happens when you install pre-commit.ci on an org/user, it does not involve the "act on your behalf" privilege. the latter is the oauth token which is handed to pre-commit.ci when performing the login flow (such that pre-commit.ci can know what user you are so it can display your installs).
once the app is installed you can log out of pre-commit.ci and never log in again and the oauth token will be destroyed (technically it's inaccessible before that because we discard it but I suspect you're extra paranoid so you can take that extra step) -- you can also remove the oauth authorization explicitly via https://github.com/settings/apps/authorizations (I suspect you'll find other things there -- each of those also "can act on your behalf")
pre-commit.ci will never perform actions on behalf of a user -- all actions will be performed by pre-commit-ci[bot]
it does really suck that github doesn't let us do an oauth login without having "act on your behalf" show up despite setting zero permissions for that
rht
commented
1 year ago OK thank you for the clarification.
(I suspect you'll find other things there -- each of those also "can act on your behalf")
I usually make sure not to grant such apps. Though I found at least travis-ci being granted (and I finally revoked it).
asottile
commented
1 year ago I suspect this is why most oauth apps set "Read-only emails" so that the messaging looks slightly less scary -- but really is more permissions than we set (zero)
rht
commented
1 year ago (such that pre-commit.ci can know what user you are so it can display your installs).
You could reduce the permission scope option if you use the public API to fetch a user's public repos only? Not saying this is the majority of the case, but it is quite sizeable.
asottile
commented
1 year ago it's not the repository list -- that's all in app-install land -- it's just that initial list of installations (like my account has installs for asottile, pre-commit, pre-commit-ci, pycqa, pytest-dev, etc. etc. etc.)
We tried to use pre-commit.ci on projectmesa/mesa, in https://github.com/projectmesa/mesa/pull/1422. We decided not to enable the
autofix_prsoption. Yet, when I tried to enable pre-commit.ci, I encountered the GH permission request so that pre-commit.ci can act on my behalf. Is there a way to make this optional, since we don't use the autofix feature anyway?