Fine-grained permissions for Github issues (self-assign, labels)

Development
7

I've successfully installed zulipbot on heroku using the instructions for heroku and zulipbot, and I've included a step-by-step playbook below. Examples in action for an organizational repo are here and personal repo are here (thanks for helping me test @LN and @downey)!

Two issues:

  1. Permissions - you have to be a member of a team that has at least 'read' access to a project (or be a collaborator, in the case of a personal project) in order to @bot properly.
  2. Documentation - the above permission problem may be something that's configurable, but the config docs for zulip bot are a little sparse.
  3. Security - I'm not a heroku expert, but I'm told editing files directly using 'heroku bash' on your instance doesn't guarantee persistence, and that pushing to the heroku remote is the way to ensure that. Adding my password and secret to get the webhooks to work required committing passwords in cleartext to the repo, and pushing to remote (see playbook below). Hoping someone more knowledgable of heroku than I am can comment on this.

Otherwise, it works as advertised, team members can assign and label and do other things without being admins!

Playbook

  1. install npm/node and git
  2. download heroku CLI: https://devcenter.heroku.com/articles/getting-started-with-nodejs#set-up
  3. heroku login
  4. git clone https://github.com/zulip/zulipbot.git
  5. cd zulipbot
  6. npm install
  7. heroku create
  8. git remote -v verify a new remote has been established, called "heroku", https://git.heroku.com/random-words-#####.git
  9. create a github account for the odk-zulipbot, and add it as a collaborator (and admin) to the appropriate repos
  10. add webhooks to the appropriate repos
  • uri: https://random-words-#####.herokuapp.com/
  • application/json data
  • secret: <generated, to be used below>
  • send me everything
  1. cp src/zulip_project_config.js src/config.js # copy the example template into where the live config lives
  2. touch src/secrets.json
  3. In config.js, I only changed sudoUsers (no idea what this does) and activeRepos, none of this is documented so I don't know what the other parameters do :confused:
  4. add secrets content as directed (github account credentials, plus the webhook secret generated above)
  5. I then removed secrets.json and config.js from .gitignore, git add -A, git commit, git push heroku master. This seems like a bad idea.
4 Likes