travis-ci / travis.rb

Travis CI Client (CLI and Ruby library)
MIT License
1.59k stars 409 forks source link

Document what permissions github token for travis CLI login needs #645

Open holyjak opened 5 years ago

holyjak commented 5 years ago

When creating GitHub personal token to be used with

travis login --pro --github-token xxxx

what permissions does it need? I have noticed that if it works if I give it all the Repo permissions - but a) does it really need all of these? b) does it need any others?

Please update the docs accordingly.

Thank you!

NathanGibbs3 commented 5 years ago

This confused me at first too. I found that it actually uses the token available under my account settings on travis-ci. --org and --com will of course have different tokens, but you can set up either or both to work with travis CLI.

nicktimko commented 5 years ago

Agree that the permissions should be documented. It's horrifying for some 3rd party script to ask me for my GitHub password and encourages bad behavior. The ideal workflow would be something like the Heroku login which will fire up a localhost server, open your browser to whatever ID provider, then do a redirect with the token back to

In any event, after some monkeying I made a token with public_repo and read:user permissions and that seemed to sate travis login --org --github-token 1234.... The latter read:user may not be required; I started with just that and the script barfed at me. Added public_repo (public may be fine for just --org) and it worked. Didn't try with just it.

iainjreid commented 5 years ago

I'm not sure if it was available when this ticket was opened, but there's a page outlining the permissions you need that can be found here: https://docs.travis-ci.com/user/github-oauth-scopes

In short, and if you're feeling lazy like me, here are the options you need to toggle when setting up a GitHub token to use with the CLI!

Travis CI for Private Projects

Travis CI for Open Source Projects

holyjak commented 5 years ago

Awesome, thanks!

On Wed, Oct 16, 2019, 12:56 PM Iain Reid notifications@github.com wrote:

I'm not sure if it was available when this ticket was opened, but there's a page outlining the permissions you need that can be found here: https://docs.travis-ci.com/user/github-oauth-scopes https://docs.travis-ci.com/user/github-oauth-scopes

In short, and if you're feeling lazy like me, here are the options you need to toggle when setting up a GitHub token to use with the CLI! Travis CI for Private Projects

  • user:email (read-only)
  • read:org (read-only)
  • repo

Travis CI for Open Source Projects

  • user:email (read-only)
  • read:org (read-only)
  • repo_deployment
  • repo:status
  • write:repo_hook

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/travis-ci/travis.rb/issues/645?email_source=notifications&email_token=AAEYSPVH4OAH6KI2QNOQCPDQO3XMNA5CNFSM4GOUMHG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBMBZDA#issuecomment-542645388, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEYSPW6BZJ2FNEHJTABIKLQO3XMNANCNFSM4GOUMHGQ .

sbellem commented 4 years ago

I'm not sure if it was available when this ticket was opened, but there's a page outlining the permissions you need that can be found here: https://docs.travis-ci.com/user/github-oauth-scopes

Does anyone know what the scope should be for open source projects under .com? The above is for the legacy "version" in which open source projects are under .org.

I know it is mentioned in https://docs.travis-ci.com/user/github-oauth-scopes#travis-ci-for-open-source-and-private-projects:

On https://travis-ci.com, via our GitHub Apps integration, we ask for the following permissions:

  • Read access to code
  • Read access to metadata and pull requests
  • Read and write access to administration, checks, commit statuses, and deployments

But it it does not have the same precision as in https://docs.travis-ci.com/user/github-oauth-scopes#legacy-webhooks, as mentioned in https://github.com/travis-ci/travis.rb/issues/645#issuecomment-542645388 by @iainreid820.