Skip to content

LSIF: upload tokens

Warren Gifford requested to merge lsif-upload-tokens into master

Created by: chrismwendt

This adds the concept of an "LSIF upload token", which is the only way to upload LSIF data to a Sourcegraph instance.

Unlike access tokens, an LSIF upload token is not associated with a user. LSIF upload tokens are associated with repositories. Each repository will have a different LSIF upload token.

The downside of the current implementation in this PR is that you can't revoke individual LSIF upload tokens. However, you can revoke all LSIF upload tokens by changing the LSIF_UPLOAD_SECRET environment variable on the frontend. That doesn't purge LSIF data from storage, so any LSIF data already uploaded will remain.

Here's what the workflow for a repository owner looks like:

  • Visit their repository on Sourcegraph.com (only GitHub repositories are supported)
  • Scroll to the LSIF section at the bottom
  • Copy the challenge (10 hex characters)
  • Go to their repository on GitHub.com and add the challenge as a topic
  • Go back to Sourcegraph.com and click Verify
  • (the Sourcegraph instance will then use GitHub's API to verify that the challenge was added as a topic, proving the user owns the repository)
  • On successful verification, the LSIF upload token will appear in the UI
  • Copy the LSIF upload token and paste it into the CI environment variable SRC_LSIF_UPLOAD_TOKEN
  • Generate LSIF data in CI and run the upload.sh script

2019-07-18 00 27 09

Test plan: follow the steps above

See write-up https://docs.google.com/document/d/1W0L0Z34Og7j0WRHEesxs_92I0vOmy-eC0BvbOVzFGww/edit?ts=5d1fd2bc#heading=h.5yoboqkqlm0u

Merge request reports

Loading