Skip to content
This repository has been archived by the owner on Aug 1, 2023. It is now read-only.

[Error] gyro is not able to find and initialize private repositories #91

Open
haze opened this issue May 31, 2021 · 2 comments
Open

[Error] gyro is not able to find and initialize private repositories #91

haze opened this issue May 31, 2021 · 2 comments

Comments

@haze
Copy link

haze commented May 31, 2021

I tried to create a gyro manifest for a project that I am working on. Currently, I have the source stored in a private repository on GitHub. When running

gyro init haze/top_secret_super_secret_dont_share

I am met with this:

got http status code for https://api.github.com/repos/haze/top_secret_super_secret_dont_share: 404{"message":"Not Found","documentation_url":"https://docs.github.com/rest/reference/repos#get-a-repository"}
@truemedian
Copy link
Contributor

I think the actual issue here is that fetching a private repo requires a bearer token with an additional scope. Currently, gyro's bearer token is only used for reading user data (name and email) on the server side. The token is passed in plaintext as a header, so adding more scopes (especially scopes that provide data not available to the public) is a definite vulnerability.

@mattnite
Copy link
Owner

mattnite commented Jun 9, 2021

I think it would be best to manage two different tokens, not everyone is going to both publish and use private repos. We could have a secrets or tokens subcommand that lets the user manage tokens and initiate the device polling thing for github by itself.

This also opens up avenues for other systems but I wouldn't worry about coming up with something too complicated since gyro is at its scope, I only want to maintain it and improve the UX for things it can already do.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants