diff --git a/compiler/native/compile.go b/compiler/native/compile.go index c751d9f9b..5e0f7a857 100644 --- a/compiler/native/compile.go +++ b/compiler/native/compile.go @@ -48,20 +48,8 @@ func (c *client) Compile(ctx context.Context, v interface{}) (*pipeline.Build, * // this has to occur after Parse because the scm configurations might be set in yaml // netrc can be provided directly using WithNetrc for situations like local exec if c.netrc == nil && c.scm != nil { - // ensure restrictive defaults for the netrc for scms that support granular permissions - if p.Git.Repositories == nil { - p.Git.Repositories = []string{c.repo.GetName()} - } - - if p.Git.Permissions == nil { - p.Git.Permissions = map[string]string{ - constants.AppInstallResourceContents: constants.AppInstallPermissionRead, - constants.AppInstallResourceChecks: constants.AppInstallPermissionWrite, - } - } - // get the netrc password from the scm - netrc, err := c.scm.GetNetrcPassword(ctx, c.repo, c.user, p.Git.Repositories, p.Git.Permissions) + netrc, err := c.scm.GetNetrcPassword(ctx, c.repo, c.user, p.Git) if err != nil { return nil, nil, err } diff --git a/scm/github/repo.go b/scm/github/repo.go index f6b84f1fd..91f0c5e21 100644 --- a/scm/github/repo.go +++ b/scm/github/repo.go @@ -14,6 +14,7 @@ import ( "github.com/sirupsen/logrus" api "github.com/go-vela/server/api/types" + "github.com/go-vela/server/compiler/types/yaml" "github.com/go-vela/server/constants" ) @@ -679,7 +680,7 @@ func (c *client) GetBranch(ctx context.Context, r *api.Repo, branch string) (str // GetNetrcPassword returns a clone token using the repo's github app installation if it exists. // If not, it defaults to the user OAuth token. -func (c *client) GetNetrcPassword(ctx context.Context, r *api.Repo, u *api.User, repos []string, perms map[string]string) (string, error) { +func (c *client) GetNetrcPassword(ctx context.Context, r *api.Repo, u *api.User, g yaml.Git) (string, error) { l := c.Logger.WithFields(logrus.Fields{ "org": r.GetOrg(), "repo": r.GetName(), @@ -692,10 +693,11 @@ func (c *client) GetNetrcPassword(ctx context.Context, r *api.Repo, u *api.User, // repos that the token has access to // providing no repos, nil, or empty slice will default the token permissions to the list // of repos added to the installation - // - // the compiler will set restrictive defaults with access to the triggering repo + repos := g.Repositories + + // use triggering repo as a restrictive default if repos == nil { - repos = []string{} + repos = []string{r.GetName()} } // convert repo fullname org/name to just name for usability @@ -719,7 +721,12 @@ func (c *client) GetNetrcPassword(ctx context.Context, r *api.Repo, u *api.User, Checks: github.String(constants.AppInstallPermissionWrite), } - for resource, perm := range perms { + permissions := g.Permissions + if permissions == nil { + permissions = map[string]string{} + } + + for resource, perm := range permissions { ghPerms, err = applyGitHubInstallationPermission(ghPerms, resource, perm) if err != nil { l.Errorf("unable to create github app installation token with permission %s:%s: %v", resource, perm, err) @@ -735,7 +742,7 @@ func (c *client) GetNetrcPassword(ctx context.Context, r *api.Repo, u *api.User, // maybe take an optional list of repos and permission set that is driven by yaml t, err := c.newGithubAppInstallationRepoToken(ctx, r, repos, ghPerms) if err != nil { - l.Errorf("unable to create github app installation token for repos %v with permissions %v: %v", repos, perms, err) + l.Errorf("unable to create github app installation token for repos %v with permissions %v: %v", repos, permissions, err) // return the legacy token along with no error for backwards compatibility // todo: return an error based based on app installation requirements diff --git a/scm/service.go b/scm/service.go index 9e8ff96d9..beb5eec0b 100644 --- a/scm/service.go +++ b/scm/service.go @@ -7,6 +7,7 @@ import ( "net/http" api "github.com/go-vela/server/api/types" + "github.com/go-vela/server/compiler/types/yaml" "github.com/go-vela/server/database" "github.com/go-vela/server/internal" ) @@ -143,7 +144,7 @@ type Service interface { GetHTMLURL(context.Context, *api.User, string, string, string, string) (string, error) // GetNetrc defines a function that returns the netrc // password injected into build steps. - GetNetrcPassword(context.Context, *api.Repo, *api.User, []string, map[string]string) (string, error) + GetNetrcPassword(context.Context, *api.Repo, *api.User, yaml.Git) (string, error) // SyncRepoWithInstallation defines a function that syncs // a repo with the installation, if it exists. SyncRepoWithInstallation(context.Context, *api.Repo) (*api.Repo, error)