Skip to content

LSIF: replace topics-based verification with GitHub token verification

Warren Gifford requested to merge lsif-github-token into master

Created by: chrismwendt

Background

Sourcegraph.com only allows LSIF uploads from users who have push access to the repository on GitHub. This prevents a malicious user from uploading objectionable content to someone else's repository.

Prior to this change

The auth flow was:

  • Go to the repository on Sourcegraph.com and copy the challenge string
  • Go back to GitHub and add a new topic with the name being the challenge string
  • Go back to Sourcegraph.com and click Verify, which would give you an "LSIF upload token"
  • Delete the topic you added
  • Pass that LSIF upload token as an argument to src-cli at dump upload time

After this change

The auth flow will be:

  • Create a new GitHub access token with public_repo scope only
  • Pass that token as an argument to src-cli at dump upload time

This also removes the LSIF verification section from repo home pages and site configuration settings lsifVerificationGithubToken and lsifUploadSecret that were added in:

Impact:

image

  • ... anything I'm missing?

Test plan: locally tried uploading to a nonexistent repo, bad GitHub access token, and a repo for which I don't have write permission

References:

Merge request reports

Loading