Can I complain a bit about GitHub? Why I can only authorize my entire GitHub account for third-party access? Could things be slightly better if the authorization is done at repository level?
GitHub provides a way for more granular third-party access: GitHub Apps. There, access can be set on a repository level [1]. E.g. Netlify can be configured as a GitHub app.
It seems like Docker Hub is implemented as an OAuth app [2], where these granular options are not available and you have to grant access to all your repositories.
You can implement OAuth per repo if github wanted though, or alternatively can you grant access to a specific organisation? Not sure. The default should be per repo auth IMO.
honest question, what's the point of using OAuth when the Authz is so coarse? Why not augment to have scopes per repo? Is it considered bad practice to have have a variable (repo name) as a scope?
IIRC the OAuth2-interfacing application needs to (or at least should) know beforehand exactly what to request access to, so if that's read/write access to all of the user's content, it's trivial. For the external application to know something specific like a particular resource is more complicated to deal with (especially with private/hidden content), so most OAuth providers don't provide that level of granularity. It can be done, it just requires more engineering than most (all?) off-the-shelf OAuth solutions provide, and it's more control than most users actually need.
I found this snippet on Docker Hub's Linked Account Settings:
> Service user (or machine/bot account) suggested
> Attaching your personal GitHub or Bitbucket account to this Docker Hub organization will allow other organization owners to create builds from your private repositories. We suggest using a service user (also referred to as a machine user or bot account).
Seems worthwhile to do this, if you're an enterprise or otherwise have sensitive private repos. But I agree that it would be better to have an easier per-repo authorization system, since many users won't bother going through the hassle of setting up a service account.
> > Attaching your personal GitHub or Bitbucket account to this Docker Hub organization will allow other organization owners to create builds from your private repositories. We suggest using a service user (also referred to as a machine user or bot account).
In my case I don't even know why it needs read and WRITE access to ALL repositories. All I want is for it to build one public repository. It doesn't need any special permissions for that at all.
Seems that dockerhub is using the github oauth permissions to do three things:
- retrieve a list of all repos to display in the autobuild setup page
- setup webhooks for the gh repo that should be built via dockerhub autobuild
- setup a deploy key for said repo, so that it can be cloned
I removed the dockerhub oauth on github side, after setting up autobuild. My builds on push to master and tag are still working. So it seems possible to remove dockerhubs write access to your github repos after the autobuild setup, which really seems to be a good idea.
