Closed Bug 1509100 Opened 7 years ago Closed 7 years ago

Assess use of external addon Azure Pipelines in Mozilla's GitHub organization mozilla

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: myk, Unassigned)

Details

I want to use the Azure Pipelines addon in mozilla for the following reasons: to continuously integrate Rust projects on Windows that currently use the slow and buggy Appveyor service for that purpose. Below are my answers to your stock questions: ** Which repositories do you want to have access? Initially, just lmdb-rs. ** Are any of those repositories private? No, lmdb-rs is a public repo. ** Provide link to vendor's description of permissions needed and why According to the request page, Azure Pipelines gets: * Write access to code * Read access to metadata * Read and write access to checks, commit statuses, deployments, issues, and pull requests Note that Azure Pipelines is a Microsoft service, and Microsoft owns GitHub, so we should be able to trust it to the same extent that we trust GitHub. ** Provide the Install link for a GitHub app https://github.com/apps/azure-pipelines/installations/new/permissions?request_id=16271&target_id=131524 When I initially made the request, the GitHub UI didn't appear to let me select the repository for which I'd like to use the app. The "Select repositories" dropdown menu appeared in the UI, but it wouldn't drop down. However, the request page shows that a bunch of repositories have been "requested," and none of those repos (f.e. mozilla/guardduty-multi-account-manager) have an azure-pipelines.yml file in them or other evidence of interest in Azure from my cursory examination. So I suspect that the dropdown was actually present, but invisible, and I unknowingly selected a bunch of repos. These repos should be unselected (and the lmdb-rs repo selected) when approving the request. I'm an owner of the org, so I can approve this request myself, but it seems prudent to ask another owner to cross-check it. Thus this bug.
In the interest of avoiding installation of Azure Pipelines for a bunch of repos that don't want it, I canceled my request and recreated it, while being careful not to try to select any repos from the broken dropdown menu. However, apparently I not only selected a repo (mozilla/gecko), I also approved the integration from my non-privileged account (mykmelez), according to the audit log, which is quite perplexing. In any case, I'm going to resolve this bug. But I'll raise the issue of this confusing flow in the github-owners mailing list. And you should feel free to reopen if you think we should undo this integration.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.