fix(dev-infra): merge script should not always require full repo permissions (#37718)
We recently added OAuth scope checking to the dev-infra Git client and started leveraging it for the merge script. We set the `repo` scope as required for running the merge script. We can loosen this requirement as in the Angular org where the script is consumed, only pull requests on public repositories are merged through the script. This should help with reducing the risk with compromised tokens as no access had to be granted on `repo:invite`, `repo_deployment` etc. PR Close #37718
This commit is contained in:
parent
dbc2364d16
commit
3ee666580a
|
@ -16,9 +16,6 @@ import {isPullRequest, loadAndValidatePullRequest,} from './pull-request';
|
|||
import {GithubApiMergeStrategy} from './strategies/api-merge';
|
||||
import {AutosquashMergeStrategy} from './strategies/autosquash-merge';
|
||||
|
||||
/** Github OAuth scopes required for the merge task. */
|
||||
const REQUIRED_SCOPES = ['repo'];
|
||||
|
||||
/** Describes the status of a pull request merge. */
|
||||
export const enum MergeStatus {
|
||||
UNKNOWN_GIT_ERROR,
|
||||
|
@ -56,8 +53,19 @@ export class PullRequestMergeTask {
|
|||
* @param force Whether non-critical pull request failures should be ignored.
|
||||
*/
|
||||
async merge(prNumber: number, force = false): Promise<MergeResult> {
|
||||
// Assert the authenticated GitClient has access on the required scopes.
|
||||
const hasOauthScopes = await this.git.hasOauthScopes(...REQUIRED_SCOPES);
|
||||
// Check whether the given Github token has sufficient permissions for writing
|
||||
// to the configured repository. If the repository is not private, only the
|
||||
// reduced `public_repo` OAuth scope is sufficient for performing merges.
|
||||
const hasOauthScopes = await this.git.hasOauthScopes((scopes, missing) => {
|
||||
if (!scopes.includes('repo')) {
|
||||
if (this.config.remote.private) {
|
||||
missing.push('repo');
|
||||
} else if (!scopes.includes('public_repo')) {
|
||||
missing.push('public_repo');
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
if (hasOauthScopes !== true) {
|
||||
return {
|
||||
status: MergeStatus.GITHUB_ERROR,
|
||||
|
|
|
@ -21,6 +21,8 @@ export interface GitClientConfig {
|
|||
name: string;
|
||||
/** If SSH protocol should be used for git interactions. */
|
||||
useSsh?: boolean;
|
||||
/** Whether the specified repository is private. */
|
||||
private?: boolean;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -21,6 +21,9 @@ type RateLimitResponseWithOAuthScopeHeader = Octokit.Response<Octokit.RateLimitG
|
|||
headers: {'x-oauth-scopes': string};
|
||||
};
|
||||
|
||||
/** Describes a function that can be used to test for given Github OAuth scopes. */
|
||||
export type OAuthScopeTestFunction = (scopes: string[], missing: string[]) => void;
|
||||
|
||||
/** Error for failed Git commands. */
|
||||
export class GitCommandError extends Error {
|
||||
constructor(client: GitClient, public args: string[]) {
|
||||
|
@ -155,14 +158,11 @@ export class GitClient {
|
|||
* Assert the GitClient instance is using a token with permissions for the all of the
|
||||
* provided OAuth scopes.
|
||||
*/
|
||||
async hasOauthScopes(...requestedScopes: string[]): Promise<true|{error: string}> {
|
||||
const missingScopes: string[] = [];
|
||||
async hasOauthScopes(testFn: OAuthScopeTestFunction): Promise<true|{error: string}> {
|
||||
const scopes = await this.getAuthScopesForToken();
|
||||
requestedScopes.forEach(scope => {
|
||||
if (!scopes.includes(scope)) {
|
||||
missingScopes.push(scope);
|
||||
}
|
||||
});
|
||||
const missingScopes: string[] = [];
|
||||
// Test Github OAuth scopes and collect missing ones.
|
||||
testFn(scopes, missingScopes);
|
||||
// If no missing scopes are found, return true to indicate all OAuth Scopes are available.
|
||||
if (missingScopes.length === 0) {
|
||||
return true;
|
||||
|
|
Loading…
Reference in New Issue