Full control of repository hooks

luis.rascao's Avatar

luis.rascao

09 Oct, 2015 03:30 PM

Hi,
Just integrated with GitHub, i'm noticing that AppVeyor requests the above permission, this can be a bit dangerous as i'm really not keen on allowing Appveyor to be able to delete/change any other hooks i might have configured.
any thoughts on this?
thanks!
Luis Rascão

  1. Support Staff 1 Posted by Feodor Fitsner on 09 Oct, 2015 04:33 PM

    Feodor Fitsner's Avatar

    Hi Luis,

    With more granular write:repo_hook permission AppVeyor won't be able to delete webhook for you when project is deleted.

    Also, AppVeyor is definitely not going to modify your other webhooks.

  2. 2 Posted by luis.rascao on 09 Oct, 2015 04:40 PM

    luis.rascao's Avatar

    Appveyor requests the Full control permission, is it possible to only request the write permission you mentioned?

  3. Support Staff 3 Posted by Feodor Fitsner on 09 Oct, 2015 04:44 PM

    Feodor Fitsner's Avatar

    Not at the moment, sorry.

  4. 4 Posted by luis.rascao on 09 Oct, 2015 04:51 PM

    luis.rascao's Avatar

    Is this a technical issue? Of all the permissions granted to AppVeyor the only being used right now is write, am i correct?

  5. Support Staff 5 Posted by Feodor Fitsner on 09 Oct, 2015 04:53 PM

    Feodor Fitsner's Avatar

    Not exactly. Write permission doesn't allow deletion of webhooks while AppVeyor removes its own webhooks when project is removed. Nobody wants their repos polluted with orphan webhooks, right?

  6. 6 Posted by tuncer on 12 Oct, 2015 10:05 AM

    tuncer's Avatar

    The only hook removal AppVeyor has to be concerned with is its own book-keeping of existing hooks in AppVeyor. So, if, as you say, you already have a way to be notified on an event like REMOVE_REPO, then it's trivial to remove the hook on AppVeyor. There is no reason for AppVeyor to delete its hook on GitHub, and that side of the hook is gone when the repo is removed anyway. If you need to, something like the following might be a good idea to have on AppVeyor:

    1. On REMOVE_REPO, or after a periodic REPO_EXIST check on AppVeyor determines it cannot reach the configured repo, mark it for deletion.
    2. Send a notification to the AppVeyor account contact, telling them it will be removed in X days.
    3. Send a reminder after X - Y days.
    4. After X days, remove the hook.

  7. 7 Posted by luis.rascao on 12 Oct, 2015 04:57 PM

    luis.rascao's Avatar

    yeah, i would agree with Tuncer on this, even if AppVeyor receives no notification of the repo being deleted imho i think it's best to leave the maintenance to the repo owner, Appveyor could simply display a message reminding the owner that he needs to remove the hook, less work for you and less raised eyebrows regarding security

  8. Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 02:00 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac