Hi Neal,

On Wed, Nov 13, 2019 at 12:40 PM Neal Gompa <ngompa13@gmail.com> wrote:

Why does zuul need to be an admin on the repository?

That's a good question. Ideally the commit access would have only be needed (Zuul is
also a gating system, it merges the code) but dealing with the events and API
brings some difficulties at authentication level. Here is the explanation.
Zuul needs to receive Pull Request and Git repo events but also it needs to be
able to act on the PR via the API. To receive events Zuul relies on the Pagure Web Hook
feature, Zuul serves an HTTP endpoint that Pagure uses to send payloads in case of
events. Payloads need to be authenticated, to do so Zuul needs to know the
Web Hook token configured in Pagure in the repository settings. To use the API Zuul
needs the repository API key. Both the Web Hook Token and the API Key are
unique per repository on Pagure. For each configured Pagure repository, Zuul will
discover the Web Hook Token and create/reuse an API key via the Pagure API
(connector endpoint) and this requires admin right on the related repository.

I'm not aware of other ready to use solutions for that use case. For instance, to mitigate
this, in the future Pagure could provide another user role level with commit access +
access to the connector endpoint [1]. In fact having this would ease third party application
integration with Pagure. For instance on Github, there is that concept of application and
Zuul relies on it to integrate easily with Github repositories. 

I hope my explanation makes sense :)

[1]: https://pagure.io/pagure/pull-request/4221