Registrator's crazy privileges

I was trying to register a package on https://juliahub.com/ui/Registrator but got stuck at a scary banner:

We need read/write privileges for your repositories to determine whether you are a contributor of this package.

If you click “Grant privileges”, GitHub kindly informs you that

JuliaHub is requesting additional permissions.
This application will be able to read your notifications (no code access).
This application will be able to read and write all public repository data. This includes the following:

  • Code
  • Issues
  • Pull requests
  • Wikis
  • Settings
  • Webhooks and services
  • Deploy keys

To me, this is complete and utter nonsense. It’s as if to register my phone number in the phone book I had to give to the phone company free access to my house and the right to drive my car whenever they please.

And all these privileges are just to “determine whether you are a contributor of this package”? Really?

I logged in on JuliaHub using my GitHub credentials, how come they are not sufficient to verify that my account is the owner ot the package I’m trying to register?

Try using the Registrator.jl GitHub App (also called the “comment bot”), which you can install here: Sign in to GitHub · GitHub

The GitHub App does not require any write permissions. It only requires some read permissions. Here are the permissions that the GitHub App needs:

More details here: GitHub - JuliaRegistries/Registrator.jl: Julia package registration bot

In particular, see the “Via the GitHub App” section of the README: https://github.com/JuliaRegistries/Registrator.jl/blob/master/README.md#via-the-github-app

5 Likes

Just so that you are aware, this is not JuliaHub’s fault. It is due to a limitation in the GitHub API. In order to use the GitHub API to list all collaborators of a repository, you need write access to that repository.

8 Likes

It’s really annoying too.
Do we have something tracked anywhere with GitHub to try and get them to change that, or add another permission type for it?

e.g. it makes it impossibly to grant someone permissions to register just 1 package within an org;
or to grant them permissions to register releases on a project on your personal account.
(e.g. for years pre-1.0 Malmaud and I were co-maintaining TensorFlow.jl which lived on Malmauds account. In 1.0 land, I would not be able to register releases AFAIK)

1 Like

You should still be able to do this with the GitHub App (“comment bot”).

E.g. Gaius.jl is owned by Mason’s personal account, but I just registered a new version of Gaius using the comment bot.

1 Like

How does that work?
When for GitHub orgs I need to be a public member?

It should still work for orgs.

Consider for example PkgTemplates.jl, which is owned by the Invenia org. As far as I am aware, @christopher-dG is not currently a member of the Invenia GitHub org, but he is still able to register new versions of PkgTemplates.jl.

If we really want, we could just bypass the GitHub API, and have a feature like this:

Create a file named registrator-authorized-users.txt in the root of your package (i.e. in the same directory as your package’s Project.toml file) with contents as such:

@DilumAluthge
@oxinabox

And those are the users allowed to register.

Is he? that was actually the exact situation I was worried about.

I think he is. The question is: does he use the GitHub App comment bot (no write permissions needed) or the JuliaHub website (write permissions needed).

@christopher-dG

The issue might be: what is the source of the user’s write access?

The comment bot works as follows: when someone makes a comment, the bot receives a webhook payload (Webhook events and payloads - GitHub Docs). The payload includes the text contents of the comment and the user’s username. The payload also includes an AUTHOR_ASSOCIATION Field.

Now this is where things get tricky. If the user has write access because they are the repo owner (user owned repo case) or because they were manually added as an outside collaborator with write access (org owner repo case), then then the AUTHOR_ASSOCIATION field will reflect this, and the comment bot knows you have permission to register.

BUT, if you have write access only as a result of being a member of the organization (I.e. all members of the org have write access to this repo; you weren’t specifically added to this repo), then if I understand correctly, the AUTHOR_ASSOCIATION will NOT reflect your write access. In this case, the comment bot thinks you don’t have write access. So the comment bot is forced to check if you are an org member, and it uses the GitHub API to do so. Since the comment bot only has read access, it only has permission to access the public members of the org.

Anyway, this is all a little off-topic to the original post. The OP wants to register a package in a repo that is owned by their personal username, and they don’t want to give anyone write access to their repo. They can accomplish this by installing the GitHub App (“comment bot”) as described in my post above.

Can a Discourse admin (@vchuravy @mbauman) split this tangent discussion into a separate Discourse thread?

2 Likes

Sorry, haven’t checked Discourse for some time.

I’m not a member of the Invenia org, I’m just a collaborator on PkgTemplates.jl. I use the comment bot generally.

2 Likes