Full control of repository hooks
Hi,
Just integrated with GitHub, i'm noticing that AppVeyor requests the above permission, this can be a bit dangerous as i'm really not keen on allowing Appveyor to be able to delete/change any other hooks i might have configured.
any thoughts on this?
thanks!
Luis Rascão
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Feodor Fitsner on 09 Oct, 2015 04:33 PM
Hi Luis,
With more granular
write:repo_hook
permission AppVeyor won't be able to delete webhook for you when project is deleted.Also, AppVeyor is definitely not going to modify your other webhooks.
2 Posted by luis.rascao on 09 Oct, 2015 04:40 PM
Appveyor requests the Full control permission, is it possible to only request the write permission you mentioned?
Support Staff 3 Posted by Feodor Fitsner on 09 Oct, 2015 04:44 PM
Not at the moment, sorry.
4 Posted by luis.rascao on 09 Oct, 2015 04:51 PM
Is this a technical issue? Of all the permissions granted to AppVeyor the only being used right now is write, am i correct?
Support Staff 5 Posted by Feodor Fitsner on 09 Oct, 2015 04:53 PM
Not exactly. Write permission doesn't allow deletion of webhooks while AppVeyor removes its own webhooks when project is removed. Nobody wants their repos polluted with orphan webhooks, right?
6 Posted by tuncer on 12 Oct, 2015 10:05 AM
The only hook removal AppVeyor has to be concerned with is its own book-keeping of existing hooks in AppVeyor. So, if, as you say, you already have a way to be notified on an event like REMOVE_REPO, then it's trivial to remove the hook on AppVeyor. There is no reason for AppVeyor to delete its hook on GitHub, and that side of the hook is gone when the repo is removed anyway. If you need to, something like the following might be a good idea to have on AppVeyor:
1. On REMOVE_REPO, or after a periodic REPO_EXIST check on AppVeyor determines it cannot reach the configured repo, mark it for deletion.
2. Send a notification to the AppVeyor account contact, telling them it will be removed in X days.
3. Send a reminder after X - Y days.
4. After X days, remove the hook.
7 Posted by luis.rascao on 12 Oct, 2015 04:57 PM
yeah, i would agree with Tuncer on this, even if AppVeyor receives no notification of the repo being deleted imho i think it's best to leave the maintenance to the repo owner, Appveyor could simply display a message reminding the owner that he needs to remove the hook, less work for you and less raised eyebrows regarding security
Ilya Finkelshteyn closed this discussion on 25 Aug, 2018 02:00 AM.