Reduce attack vector in GitHub repositories - Githubissues

woodpecker-ci / woodpecker

Woodpecker is a simple, yet powerful CI/CD engine with great extensibility.

https://woodpecker-ci.org

Apache License 2.0

4.16k stars 360 forks source link

Reduce attack vector in GitHub repositories #4149

Open abitrolly opened 5 days ago

abitrolly commented 5 days ago

Clear and concise description of the problem

Permissions that https://ci.woodpecker-ci.org/ Login requests are too broad.

Suggested solution

The better strategy is to request additional permissions exactly when they are required, and provide manual integration instructions.

Alternative

No response

Additional context

I am trying to evaluate Woodpecker CI, but the easiest way of clicking Login button is no-go.

Validations

[X] Checked that the feature isn't part of the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]
[X] Read the docs.
[X] Check that there isn't already an issue that request the same feature to avoid creating a duplicate.

qwerty287 commented 5 days ago

Did you see https://woodpecker-ci.org/docs/administration/forges/github#woodpecker_github_public_only?

Besides that, this instance is not usable by you anyways. You can't login there as you're not a member of our org. If you want to test woodpecker without setting up yourself, checkout codeberg ci.