Comments (14)
we need an github oauth expert :) @ubermuda ?
from composer-service.
he was my mentor back at Knp 👶 and now he is back to teach me more 👶 /o/
from composer-service.
👍
from composer-service.
Sooo... how can we do that? :)
from composer-service.
I guess it would mean :
- a "login with GitHub" button
- each composer update is launched with a special profile if user is connected so a deploy key added to a repo can't be used by another user
- on each private repo we add a deploy key to the repo
from composer-service.
Ok I'll try something thanks :)
from composer-service.
@pborreli thinking a bit further this could also be another "upload" option (despite upload composer.json, composer.lock).
So one could choose a project out of the list of github projects he has access to (after a oauth-login).
So the user would select a github project and composeraas would fetch the composer.json/.lock from github instead of a file upload
from composer-service.
@staabm this is not the same idea. We are talking about supporting private dependencies.
In effect, for EACH private dependency, we need a github oauth token (assuming the dependency is on github) that has admin access to the repository, so we can add a deploy key to it in order to be able to download it. The catch is you can't re-use that deploy key for any other composeraas job unless you know the user is the same as the one you installed the deploy key for, or you're risking to give some code to someone who is not normally allowed to access it. And you need to do that for every private dependency.
from composer-service.
ok I didn't understand..
from composer-service.
Imagine this scenario:
You submit a composer.json with a dependency to a private repository of yours (say youbs/foo
). Composeraas makes you authenticate to github and adds a deploy key to youbs/foo
so that it can actually download the dependency. Very well. Now say I have knowledge of the existence of this repository, I just have to submit a composer.json with a dependency to it and composeraas will download it and hand me your (private) sources.
What this means is you have to check that the person who submits the composer.json actually has access to every private dependency they are requesting in the composer.json they are submitting.
from composer-service.
Ok, I get it, thank you!
from composer-service.
I think my initial thought was never thought in this way. Hmm or maybe i am misunderstanding. My initial thought was how i plug on my server accesses to remote private repositories and have my own SaaS fetch these dependencies. So it is more a setup documenting issue more than make things complicated unnecessarily in the current official site.
from composer-service.
if you need to access your own private repository with your own installation of the project, just launch the consumer with a user who has access to them
from composer-service.
maybe we should open documentation for installing it in-house. Closing this as i got my answer.
from composer-service.
Related Issues (20)
- let's remove the cache and catch some errors HOT 3
- please remove wiki tab HOT 1
- install extensions on the server HOT 2
- [Insight] Projects must not depend on dependencies with known security issues
- [Insight] The Symfony version should be maintained
- project creation support.
- 502 :( HOT 1
- [Insight] A Symfony2 application should be bootable HOT 3
- composer.borreli.com is OffLine HOT 8
- Composer script execute support? HOT 4
- [Insight] The composer.json file should not raise warnings - in composer.json, line 0
- pusher trigger needs array as channel
- [Insight] Projects must not depend on dependencies with known security issues
- site is down HOT 3
- dockerize to run on aws on demand
- Status page linked from the footer show cloudflare errors
- Website is down :( HOT 1
- Consider using queue interprop as abstraction for queues
- Overall picture HOT 1
- Add dockerfile
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from composer-service.