Closed Bug 1506740 Opened 6 years ago Closed 6 years ago

Assess use of external addon AWS CodeBuild (Oregon)" from aws-codesuite in Mozilla's GitHub organization mozilla

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: danielh, Unassigned)

Details

I want to use the AWS CodeBuild (Oregon)" from aws-codesuite addon in mozilla for the following reasons:

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)

mozillians

** Are any of those repositories private?

No

** Provide link to vendor's description of permissions needed and why

It is requesting "access of the user who requested the integration". I cannot find any documentation to link. In this case, mozilla-auth0 has public-read access to the repository so it should be limited to that.

** Provide the Install link for a GitHub app

https://github.com/orgs/mozilla/policies/applications/437940
I do not have a hard deadline to complete this work but it is currently blocking a colleague. Once this is in place, our CodeBuild jobs can read the repository and trigger builds on pushes. Until then, we cannot automate deployments which impacts the developer workflow.
I've denied the request, as it is an old style OAuth app asking for permissions to private repositories.

Since you're using the application on a public repository, it should work fine without approval. Most of these old apps want permissions to install hooks on your behalf -- they should have instructions on how to manually configure those. A GitHub user with "admin" rights on the repo will need to configure that part.

If you have problems, please work with the app vendor to get specific instructions.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
After chatting with Hal and Gene, we decided to enable this momentarily in order to let CodeBuild setup the webhook, then disable it.

This is because CodeBuild does not allow you to get the webhook endpoint URL (it can only automatically create it without giving you any visibility)

The user that is tied to this is mozilla-auth0, which additionally only has read permissions to public repos regardless.
we've done the setup (mozilla/mozillians now has 3 webhooks with codebuild) and disabled (denied) the grant again afterwards
additional note: if the infra is recreated (e.g. with a cloudformation change) the hook will change and you would need to do this again so that aws can update the hook URL
You need to log in before you can comment on or make changes to this bug.