We need read/write privileges for your repositories to determine whether you are a contributor of this package.
If you click “Grant privileges”, GitHub kindly informs you that
JuliaHub is requesting additional permissions.
This application will be able to read your notifications (no code access).
This application will be able to read and write all public repository data. This includes the following:
Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
To me, this is complete and utter nonsense. It’s as if to register my phone number in the phone book I had to give to the phone company free access to my house and the right to drive my car whenever they please.
And all these privileges are just to “determine whether you are a contributor of this package”? Really?
I logged in on JuliaHub using my GitHub credentials, how come they are not sufficient to verify that my account is the owner ot the package I’m trying to register?
Just so that you are aware, this is not JuliaHub’s fault. It is due to a limitation in the GitHub API. In order to use the GitHub API to list all collaborators of a repository, you need write access to that repository.
It’s really annoying too.
Do we have something tracked anywhere with GitHub to try and get them to change that, or add another permission type for it?
e.g. it makes it impossibly to grant someone permissions to register just 1 package within an org;
or to grant them permissions to register releases on a project on your personal account.
(e.g. for years pre-1.0 Malmaud and I were co-maintaining TensorFlow.jl which lived on Malmauds account. In 1.0 land, I would not be able to register releases AFAIK)
Consider for example PkgTemplates.jl, which is owned by the Invenia org. As far as I am aware, @christopher-dG is not currently a member of the Invenia GitHub org, but he is still able to register new versions of PkgTemplates.jl.
If we really want, we could just bypass the GitHub API, and have a feature like this:
Create a file named registrator-authorized-users.txt in the root of your package (i.e. in the same directory as your package’s Project.toml file) with contents as such:
I think he is. The question is: does he use the GitHub App comment bot (no write permissions needed) or the JuliaHub website (write permissions needed).
The issue might be: what is the source of the user’s write access?
The comment bot works as follows: when someone makes a comment, the bot receives a webhook payload (Webhook events and payloads - GitHub Docs). The payload includes the text contents of the comment and the user’s username. The payload also includes an AUTHOR_ASSOCIATION Field.
Now this is where things get tricky. If the user has write access because they are the repo owner (user owned repo case) or because they were manually added as an outside collaborator with write access (org owner repo case), then then the AUTHOR_ASSOCIATION field will reflect this, and the comment bot knows you have permission to register.
BUT, if you have write access only as a result of being a member of the organization (I.e. all members of the org have write access to this repo; you weren’t specifically added to this repo), then if I understand correctly, the AUTHOR_ASSOCIATION will NOT reflect your write access. In this case, the comment bot thinks you don’t have write access. So the comment bot is forced to check if you are an org member, and it uses the GitHub API to do so. Since the comment bot only has read access, it only has permission to access the public members of the org.
Anyway, this is all a little off-topic to the original post. The OP wants to register a package in a repo that is owned by their personal username, and they don’t want to give anyone write access to their repo. They can accomplish this by installing the GitHub App (“comment bot”) as described in my post above.
Can a Discourse admin (@vchuravy@mbauman) split this tangent discussion into a separate Discourse thread?
