Closed Bug 1526305 Opened 7 years ago Closed 7 years ago

pyup-bot account still able to write to mozilla/treeherder after being removed from teams

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: emorley, Unassigned)

References

Details

Attachments

(1 file)

GitHub activity page screenshot
50.75 KB, image/png
Details

Hi

Treeherder has just switched from pyup to Dependabot (bug 1525923). As part of that switch yesterday I:

Prior to the final bullet, I also tried to deactivate Treeherder via the pyup.io dashboard, however it said I was not able to do so, because I was not the person who had configured the project (which was mozsvcpyup).

I'd hoped that would be enough, however today we've had more PRs opened, eg:
https://github.com/mozilla/treeherder/pull/4599

These PRs are from branches on the upstream repo - ie it means pyup still has write access even though I removed the user.

Is it somehow inheriting access from the org-wide oauth permissions?
Is there anything I can do to block it from the Treeherder repo? (I've emailed pyup support, but not sure how responsive they'll be given past experiences.)

Flags: needinfo?(hwine)

So on my GitHub activity page (the homepage when logged in), I see the pyup commits are associated with jgraham's account.

James I'm presuming pyup has oauth permissions on your personal account and so is somehow using that to make the branches on mozilla/treeherder?

Flags: needinfo?(james)

I have no idea what's going on tbh.

I can revoke all OAuth permissions from pyup but I can't just revoke permissions to the mozilla org (which I don't think would be correct anyway). Since it's being used in other places, that's no use. When I try to remove the repo from my account it claims that davehunt added it and therefore has to be the person to remove it.

Flags: needinfo?(james) → needinfo?(dave.hunt)

I've removed mozilla/treeherder from pyup.io

Flags: needinfo?(dave.hunt)

Many thanks!

(It's still worrying that pyup could just make changes to our repo again should it choose, via inherited permissions. Roll on banning the last of the oauth integrations in favour of GitHub apps)

Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED

:g-k you're the pyup guru -- any idea what happened here? I don't see anything odd from the GitHub org side.

Flags: needinfo?(hwine) → needinfo?(gguthe)

I think it's more to do with GitHub's awful oauth permission model rather than something specific to pyup. (Albeit pyup's own weird permissions model that only allows certain users to disable it running on a project didn't help)

(In reply to Hal Wine [:hwine] (use NI, please) from comment #5)

:g-k you're the pyup guru -- any idea what happened here? I don't see anything odd from the GitHub org side.

treeherder is not enabled in the pyup dashboard for the mozsvcpyup user. I can check with pyup support if that'd help since there might be some delay on their end updating the bot's config.

Assuming branch protection is enabled security impact is limited to spam PRs.

Flags: needinfo?(gguthe)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: