Closed Bug 1638833 Opened 5 years ago Closed 5 years ago

Adding Zenodo to the authorized Mozilla Github apps.

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: egolge, Unassigned, NeedInfo)

Details

Zenodo is the supported way by Github to make your repository citable by research papers.
This is specifically useful for Mozilla TTS and DeepSpeech and probably other repos.

To enable our repos to be citable we should allow Zenodo to access our repos if it causes no issues.

https://zenodo.org/
https://guides.github.com/activities/citable-code/

Please see the wiki for how to request app installation (more information is needed). A couple of points:

  • we only enable apps for the repos that want them, so a specific list is needed
  • app additions can only be request by an admin of that repo, so please ask them to state that in this bug if you don't have admin rights.
Flags: needinfo?(egolge)

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)

https://github.com/mozilla/DeepSpeech (I have admin access there)
https://github.com/mozilla/TTS (Eren has admin access)

** Are any of those repositories private?

No.

** Provide link to vendor's description of permissions needed and why

I can't find a page on Zenodo explaining the permissions, but here is the list from the OAuth page:

  • Repository webhooks and services (Admin access)
  • Organizations and teams (Read-only access)
  • Personal user data
    • Email addresses (read-only)

** Provide the Install link for a GitHub app

I can't find any install link, it's just an OAuth authorization flow.

I guess following the wiki for read only OAUTH apps, it is enough to send a request on Github. So I did that.

Flags: needinfo?(egolge)

Thanks for all the info. It's an ancient OAuth app -- I was hoping it was a modern "GitHub App", which has better security properties.

Zenodo is asking for a "problematic" permission: Admin access to the repo. I suspect their intent is only to use it during initial configuration (so you don't manually have to configure the web hook) -- but they have the access "forever" on all repos that you have admin rights for, in any organization (not just Mozilla). We use the following procedure for OAuth apps such as these:

  • We "deny" the app at the organization level, which just prevents it from working with private repos.
  • Ideally, you find documentation, or ask Zenodo support, for manually installing the webhooks. This way you never have to grant OAuth access.
  • If Zenodo doesn't support manual installation, then:
    • we recommend you (the repo admin) grant the OAuth access only for the duration of the initial configuration. Once the webhooks are in place, revoke the access.
    • use GitHub's procedure to find and revoke the OAuth grant.

If the above procedure does not work, you'll need to work with Zenodo support to address the issues. We do not grant access to private repos to any OAuth App.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

(In reply to Hal Wine [:hwine] (use NI, please) from comment #4)

  • If Zenodo doesn't support manual installation, then:
    • we recommend you (the repo admin) grant the OAuth access only for the duration of the initial configuration. Once the webhooks are in place, revoke the access.

Can you clarify how we can grant the access? I can't find any way to do this on the GitHub UI.

Flags: needinfo?(hwine)

(In reply to Reuben Morais [:reuben] from comment #5)

Can you clarify how we can grant the access? I can't find any way to do this on the GitHub UI.

The grant happens on the Zenodo side. At some point, Zendo will ask you to "log in" or otherwise authenticate via GitHub.

The revoke is something you do on the GitHub side. Yet another reason the OAuth apps are not my favorites -- I like symmetry! :)

Flags: needinfo?(hwine) → needinfo?(reuben.morais)

I cannot grant access to mozilla repositories when logging in with GitHub, even ones where I have admin privileges, because the mozilla organization is marked as not allowed.

Flags: needinfo?(reuben.morais)
Flags: needinfo?(hwine)

(In reply to Reuben Morais [:reuben] from comment #7)

I cannot grant access to mozilla repositories when logging in with GitHub, even ones where I have admin privileges, because the mozilla organization is marked as not allowed.

Sorry to hear that. You'll need to work something out with Zenodo support. The "not allowed" is supposed to only apply to private repositories, which neither of yours are.

Zenodo support has likely had this issue before -- they may have "manual install" instructions they don't post with their public docs.

Please do update with the final result, so we'll have that on file if someone else wants to use Zenodo.

Flags: needinfo?(hwine) → needinfo?(reuben.morais)
You need to log in before you can comment on or make changes to this bug.