On Wed, Nov 13, 2019 at 12:40 PM Neal Gompa <ngompa13(a)gmail.com> wrote:
Why does zuul need to be an admin on the repository?
That's a good question. Ideally the commit access would have only be needed
also a gating system, it merges the code) but dealing with the events and
brings some difficulties at authentication level. Here is the explanation.
Zuul needs to receive Pull Request and Git repo events but also it needs to
able to act on the PR via the API. To receive events Zuul relies on the
Pagure Web Hook
feature, Zuul serves an HTTP endpoint that Pagure uses to send payloads in
events. Payloads need to be authenticated, to do so Zuul needs to know the
Web Hook token configured in Pagure in the repository settings. To use the
needs the repository API key. Both the Web Hook Token and the API Key are
unique per repository on Pagure. For each configured Pagure repository,
discover the Web Hook Token and create/reuse an API key via the Pagure API
(connector endpoint) and this requires admin right on the related
I'm not aware of other ready to use solutions for that use case. For
instance, to mitigate
this, in the future Pagure could provide another user role level with
commit access +
access to the connector endpoint . In fact having this would ease third
integration with Pagure. For instance on Github, there is that concept of
Zuul relies on it to integrate easily with Github repositories.
I hope my explanation makes sense :)