Git Gateway - Unnecessary Request for GitHub Authorisation

Hello,

I have created a public playground project on GitHub to try Netlify CMS.

The site builds successfully on Netlify and I can browse it fine. I have enabled the Netlify Identity service and created a user.

I attempted to enable and configure Git Gateway. However, Netlify requests read/write access to public and private repositories which seems to be unnecessary as my GitHub project is already public.

I then went on to the One Click Hugo CMS template and deployed it. When I attempted to enable Git Gateway, Netlify requested read/write access only to public repositories as I would expect. Two more observations here:

  1. Unlike my first site, the latter site on Netlify has a prompt on Overview Page: “Install the new GitHub App Restrict repository access and get rich deploy summaries in your pull requests.”
  2. On the second site, when I disabled Git Gateway and attempted to enable again, Netlify requests read/write access again to public and private repositories like in the first site.

Which behaviour is the expected one?

PS: I understand that Git Gateway is a beta feature which works absolutely fine otherwise.

Thanks in advance!

@vst while we would love to provide the possibility for the CMS to only access public repositories, the CMS authenticates with GitHub using OAuth, which means we can only request the OAuth permissions that GitHub makes available. As you can see in the GitHub API documentation, there is no way to ask for access to public repos without also asking for access to private repos. Specifically, the repo permission that we use to push content to your repository has the following description:

Grants full access to private and public repositories. That includes read/write access to code, commit statuses, repository and organization projects, invitations, collaborators, adding team memberships, and deployment statuses for public and private repositories and organizations. Also grants ability to manage user projects.

There is no less extensive permission we can request that still allows the CMS to function. If GitHub elects to change this in the future, we would be happy to make this configurable, but it’s unfortunately out of our hands at the time being.

2 Likes

thank you @benaiah! that was super helpful.

Thanks @benaiah.

I understand that Git Gateway does not use the Netlify GitHub App, but instead uses OAuth App, right?

The Netlify GitHub App requests access to individual repositories. Is there any reason Git Gateway is not using the same access credentials as the site’s own “Build & Deploy” settings? Or at least the same method?

Is there any reason Git Gateway is not using the same access credentials as the site’s own “Build & Deploy” settings? Or at least the same method?

Git Gateway does not use the Netlify GitHub app for authentication; instead, it uses the OAuth workflow to make actions on behalf of a single specified user.

The CMS and Git Gateway have existed since before GitHub Apps were released or capable of all the API actions needed for the CMS. The two projects have not yet had GitHub App integration added, and that will require additional development work. Additionally, we’ll have to continue to maintain the OAuth code, since it is much more straightforward to use if you’re self-hosting the authentication server (cf. Overview | Decap CMS | Open-Source Content Management System).

It’s absolutely understandable that you’d want the more fine-grained permissions of the GitHub Apps model, and I’m not seeing any clear infeasibility between the CMS+Git Gateway and the Apps API. Given that, I’d welcome you to create an issue for that at Sign in to GitHub · GitHub.

While it’s obviously not as reassuring as a fine-grained permissions model, do note that Git Gateway is open source, and you can review the code here: GitHub - netlify/git-gateway: A Gateway to Git APIs.

1 Like

Thank you very much for the detailed explanation and guidance, @benaiah. Much appreciated.

1 Like