This week, since updating to your branch after the merge of my PR, I've seen a few times a failure I'd never encountered before. I run through the standard sequence, it reports success (green box, etc), but the creds file is empty:

(base) jupyter-fernando-2eperez[~]> cat /tmp/github-app-git-credentials 
(base) jupyter-fernando-2eperez[~]> d /tmp/github-app-git-credentials 
/home/jovyan
-rw------- 1 jovyan 0 Apr 23 06:01 /tmp/github-app-git-credentials

and obviously it doesn't actually work.

I had to run it again, and interestingly, when I looked, the creds file was actually empty at first, though a few seconds later it appeared with data:

(base) jupyter-fernando-2eperez[~]> cat /tmp/github-app-git-credentials 
(base) jupyter-fernando-2eperez[~]> cat /tmp/github-app-git-credentials 
https://x-access-token:ghu_[==============ELIDED===============]@github.com

Sorry the above aren't timestamped, but both cat cmds were run after having executed the notebook with:

and within a few seconds of one another. The first cat gave an empty file, then I tried again and it showed content.

Any ideas of what could be going on?

Once installed, then inside a Notebook or Console using the IPython kernel, one can type

%run -m github_app_user_auth.jupyter

resulting in:

This doesn't modify the existing usage at the terminal, though it does add support for also calling the CLI entry point as python -m github_app_user_auth if desired.

This builds on the discussion from #7.

Do we really need a gitconfig and an explicit declaration of the path name of where to put the credentials? I don't understand why that would be needed.

As a user of this project I'm a bit extra cautious since its configuration with a significant security impact, not understanding the the notes in the setup instructions fully, even though they may not be related to me at this point, I become a bit cautious.

Oh, is it because github-app-user-auth both relies on a jupyter_server/notebook extension to respond somehow and that may act as a user that doesn't have read/write permissions to a home folder. While, the user running the github-app-user-auth CLI will have permission to the home folder? Something like that?

Try running this version in a notebook:

import argparse
import requests
import sys
import time
import os

from IPython.display import display, Javascript
import ipywidgets as widgets

def do_authenticate_device_flow(client_id):
    """
    Authenticate user with given GitHub app using GitHub OAuth Device flow
    https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps#device-flow
    describes what happens here.
    Returns an access_code and the number of seconds it expires in.
    access_code will have scopes defined in the GitHub app
    """
    verification_resp = requests.post(
        "https://github.com/login/device/code",
        data={"client_id": client_id, "scope": "repo"},
        headers={"Accept": "application/json"},
    ).json()

    url  = verification_resp["verification_uri"]
    code = verification_resp["user_code"]
    
    display(Javascript(f'navigator.clipboard.writeText("{code}");'))
  
    print(f'The code {code} has been copied to your clipboard.')
    print(f'You have 15 minutes to go to this URL and paste it there:')
    print(f'{url}')

    ans = input("Hit ENTER to open that page in a new tab (type anything to cancel)>")
    if ans:
        print("Automatic opening canceled!")
    else:
        display(Javascript(f'window.open("{url}", "_blank");'))
    
    print('Waiting...', end='', flush=True)

    while True:
        time.sleep(verification_resp["interval"])
        print('.', end='', flush=True)
        access_resp = requests.post(
            "https://github.com/login/oauth/access_token",
            data={
                "client_id": client_id,
                "device_code": verification_resp["device_code"],
                "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
            },
            headers={"Accept": "application/json"},
        ).json()
        if "access_token" in access_resp:
            print()
            return access_resp["access_token"], access_resp["expires_in"]

def main():
    
    client_id = os.environ.get("GITHUB_APP_CLIENT_ID")
    git_credentials_path = "/tmp/github-app-git-credentials" 

    access_token, expires_in = do_authenticate_device_flow(client_id)
    expires_in_hours = expires_in / 60 / 60
    print(f"\nSuccess! Authentication will expire in {expires_in_hours:0.1f} hours.")

    # Create the file with appropriate permissions (0600) so other users can't read it
    with open(os.open(git_credentials_path, os.O_WRONLY | os.O_CREAT, 0o600), "w") as f:
        f.write(f"https://x-access-token:{access_token}@github.com\n")

and then just call main() either in the notebook or a console attached to it. I think works really nicely!

Do you want a PR for this? Or you can go ahead and do it :)

I'd refactor the code a bit to reuse more at the cmd line and Jupyter, and I'd add a magic, say %ghauth, to shorten this. We can then add the magic to __init__ and pre-import it, or even add it to a button/menu on the UI that shows the current GH connection status and lets you refresh the auth by clicking on it...

But anyway, I think this is now good enough for everyday use, esp. if we add a magic we preload or similar for convenience....

1. Step 6 in the GitHub App configuration, part of the README.md includes:

   Save the Public link as well, as users will need to use this to grant access to particular repositories.

   What does this refer to?

2. Step 1 in the Client configuration, part of the README.md refers to use of git-credentials-store. Since that is a technical reference, I'd expect a link or similar to be able to understand if that was a Python package we depend on, an apt-get package, or something part of what you get when installing git in any way etc.

   Is it correct that git-credentials-store refers to something shipping with git, namely this.

3. Use of GITHUB_APP_CLIENT_ID, maybe GITHUB_APP_USER_AUTH_CLIENT_ID or GITHUB_APP_USER_AUTH__CLIENT_ID instead? I've seen a lot of confusion stemming from not knowing what environment variables influence what software. By prefixing the environment variable with the related software's full name, there is a lot less confusion about it. To me, that far outweighs the downside of having a longer environment variable name.

   What do you think about renaming this env var?

I think this is broadly useful enough that this should be inside the JupyterHub org.

Thoughts, @minrk @manics @consideratio @choldgraf @georgianaelena?

@yuvipanda I'm looking to setup jupyterhub-bot with a PyPI deployment token for this repo for #32, but I also note that we only have you as a sole maintainer of the PyPI package atm. Feel free to add me or another jupyterhub maintainer, but i figure we should be at least 2+ being able to resolve issues and avoid a bus factor of 1.

I've not gone through the full steps, but wouldn't it be nice to have a standardized UX for how users would go about knowing what app to authorize against etc?

I figure we would configure the public url (in my case https://github.com/settings/apps/hub-jupytearth-org-github-integ), just like we configure the GITHUB_APP_CLIENT_ID env var. While it isn't crucial, it would allow this software to provide helpful messages to the user if they aren't already setup or similar maybe?

Another options would perhaps be to let this software lookup the public URL by knowing the APP id by asking some GitHub API?

We needed admins to setup .gitconfig to point to the generated credentials file earlier, and so we used a well known location. Now that we set git config automatically, that is unnecessary.

This makes it secure to use on HPC systems

Removes a fiddly client-side config! This was particularly problematic when git was installed via conda, as it does not read the systemwide /etc/gitconfig file (https://github.com/conda-forge/git-feedstock/issues/113)

Ref #2

• Better name for what it actually does
• Prefix env var we use to pick up client id
• Rename the IPython Magic too

Ref https://github.com/yuvipanda/gh-scoped-creds/issues/2

Proposed change

had previously been using gh-scoped-creds through Syzygy without any issues. It had served as an excellent way to securely push and pull to and from Github; however, as of this week, my Syzygy has encountered a serious issue and so I am now working through Anaconda. I was wondering if you have any experience dealing with using your package through anaconda as it seems to install easily enough, yet it won't let me push to Github, even when I am supposedly securely authenticated. Is what I am trying to do currently possible, and if no, would it be possible to do it in the near future?

Who would use this feature?

I imagine that this feature, if possible, would be helpful to any people who have to work through Anaconda with their data projects.

Facu with JMTE wrote this.

Does anyone knows how to deactivate the Github authentication app once it has been activated? I am trying to push to a repository that doesn’t have the app installed and of which I am not owner . I can just wait 8 hours and push with my GH token, but I would like to know if there is another way of doing this. Thank you!

I concluded he could remove a section from his .gitconfig looking like this accomplish that.

[credential "https://github.com/"]
	helper = store --file=/tmp/tmp3z__u6za

That configuration was added by this section.

https://github.com/jupyterhub/gh-scoped-creds/blob/1f7947d1b34cff5c2544eacd76fa5dcaf0dff06c/gh_scoped_creds/init.py#L97-L106

Maybe it can make sense to have a command to clean that configuration change and the associated credentials?

I'd like to create a changelog retroactively using github-activity, but that relies on release being git tagged.

Is it okay if I retroactively create git tags, or maybe @yuvipanda has git tags already made but not pushed that can be pushed retroactively? It would help the use of github-activity to generate the changelog. I see that the setup.py file has been updated reliably with new versions for each release on PyPI even though git tags hasn't been created/pushed reliably.

Current PyPI releases

Current git history

*   25a0a5d - (HEAD -> main, origin/main, origin/HEAD, fork/main) Merge pull request #30 from yuvipanda/pre-commit-ci-update-config (2 weeks ago) <Yuvi Panda>
|\  
| * 6a0da6b - (origin/pre-commit-ci-update-config, fork/pre-commit-ci-update-config) [pre-commit.ci] pre-commit autoupdate (4 weeks ago) <pre-commit-ci[bot]>
|/  
*   a432e5b - Merge pull request #29 from yuvipanda/pre-commit-ci-update-config (5 weeks ago) <Yuvi Panda>
|\  
| * 826b0ab - [pre-commit.ci] pre-commit autoupdate (5 weeks ago) <pre-commit-ci[bot]>
|/  
*   37e3eab - Merge pull request #28 from yuvipanda/pre-commit-ci-update-config (6 weeks ago) <Yuvi Panda>
|\  
| * 2a85e0e - [pre-commit.ci] pre-commit autoupdate (6 weeks ago) <pre-commit-ci[bot]>
|/  
*   6eee01f - Merge pull request #27 from yuvipanda/pre-commit-ci-update-config (3 months ago) <Yuvi Panda>
|\  
| * af0f649 - [pre-commit.ci] pre-commit autoupdate (3 months ago) <pre-commit-ci[bot]>
|/  
*   b90f33a - Merge pull request #26 from yuvipanda/pre-commit-ci-update-config (4 months ago) <Yuvi Panda>
|\  
| * 927fdd3 - [pre-commit.ci] pre-commit autoupdate (4 months ago) <pre-commit-ci[bot]>
|/  
*   5a86b67 - Merge pull request #23 from GeorgianaElena/patch-2 (5 months ago) <Yuvi Panda>
|\  
| * b882300 - Delete settings.json (5 months ago) <Georgiana Elena>
* |   5f3548c - Merge pull request #24 from yuvipanda/no-ssh (5 months ago) <Yuvi Panda>
|\ \  
| |/  
|/|   
| * e6f3560 - (origin/no-ssh, fork/no-ssh) [pre-commit.ci] auto fixes from pre-commit.com hooks (5 months ago) <pre-commit-ci[bot]>
| * 1268c92 - Add a note about using https, not ssh URLs (5 months ago) <YuviPanda>
|/  
*   ba42a02 - Merge pull request #20 from yuvipanda/bump (5 months ago) <Yuvi Panda>
|\  
| * 03149b1 - (origin/bump, fork/bump) Bump version number (5 months ago) <YuviPanda>
* |   815b086 - Merge pull request #19 from yuvipanda/no-named-file (5 months ago) <Yuvi Panda>
|\ \  
| * | f475ab6 - (origin/no-named-file, fork/no-named-file) [pre-commit.ci] auto fixes from pre-commit.com hooks (5 months ago) <pre-commit-ci[bot]>
| |/  
| * f450280 - Remove hard-coded credentials file location (5 months ago) <YuviPanda>
* | 41a977b - Merge pull request #18 from yuvipanda/fix-typo-2 (5 months ago) <Yuvi Panda>
|\| 
| * dc4db68 - (origin/fix-typo-2, fork/fix-typo-2) Update readme to use new IPython magic name (5 months ago) <YuviPanda>
* |   9fd54ee - Merge pull request #16 from yuvipanda/user-app (5 months ago) <Yuvi Panda>
|\ \  
| * | 38d07eb - (origin/user-app, fork/user-app) [pre-commit.ci] auto fixes from pre-commit.com hooks (5 months ago) <pre-commit-ci[bot]>
| |/  
| * e0ed54e - Remove timestamp of when auth was performed (5 months ago) <YuviPanda>
| * 1033c48 - Let users know how to manage github app access (5 months ago) <YuviPanda>
* | ff1c7fe - Merge pull request #15 from yuvipanda/fix-typo (5 months ago) <Yuvi Panda>
|\| 
| * 98d9a4c - (origin/fix-typo, fork/fix-typo) Fix typo (5 months ago) <YuviPanda>
* | cda47f3 - Merge pull request #14 from yuvipanda/git-config (5 months ago) <Yuvi Panda>
|\| 
| * c787d0b - (origin/git-config, fork/git-config) Bump version number (5 months ago) <YuviPanda>
| * 3aa6e07 - [pre-commit.ci] auto fixes from pre-commit.com hooks (5 months ago) <pre-commit-ci[bot]>
| * 2029390 - Automatically tell git where to look for github creds (5 months ago) <YuviPanda>
|/  
*   441933d - Merge pull request #13 from yuvipanda/rename (5 months ago) <Yuvi Panda>
|\  
| * 61d6aab - (origin/rename, fork/rename) Bump version number (5 months ago) <YuviPanda>
| * ddf703e - Remove textbox based automatic opening of new window (5 months ago) <YuviPanda>
| * 5cc8fc2 - Fix name of client env var read (5 months ago) <YuviPanda>
| * 8abb333 - Change path of default creds file (5 months ago) <YuviPanda>
| * bd22157 - Rename to be gh-scoped-creds (5 months ago) <YuviPanda>
|/  
*   120a46b - Merge pull request #12 from yuvipanda/device-flow (5 months ago) <Yuvi Panda>
|\  
| * 3e03994 - (origin/device-flow, fork/device-flow) Note that device flow must be manually enabled now (5 months ago) <YuviPanda>
* | 59f7f63 - Merge pull request #11 from yuvipanda/pre-commit (5 months ago) <Yuvi Panda>
|\| 
| * 0272642 - (origin/pre-commit, fork/pre-commit) Steal flake8 config from JupyterHub (5 months ago) <YuviPanda>
| * ab8e5df - Add pre-commit config (5 months ago) <YuviPanda>
* | 5a26be0 - Merge pull request #10 from yuvipanda/simplify (5 months ago) <Yuvi Panda>
|\| 
| * 6286443 - (origin/simplify, fork/simplify) Note the %ghauth magic in the README (5 months ago) <YuviPanda>
| * bf4aeee - Run black (5 months ago) <YuviPanda>
| * 97eecc4 - Register an IPython magic directly (5 months ago) <YuviPanda>
|/  
*   feebfe7 - Merge pull request #8 from fperez/main (5 months ago) <Yuvi Panda>
|\  
| * b93e8cb - Add info about time of authentication. (6 months ago) <Fernando Perez>
| * 01cf5dd - Highlight success with color in Jupyter mode. (6 months ago) <Fernando Perez>
| * 4989f70 - Add Jupyter support (7 months ago) <Fernando Perez>
| * 46d0bdf - Add dedicated __main__ entry point for python -m (7 months ago) <Fernando Perez>
|/  
*   f480c0f - Merge pull request #6 from fperez/patch-1 (7 months ago) <Yuvi Panda>
|\  
| * ec33a39 - Mention running in the console/notebook. (7 months ago) <Fernando Perez>
| * 9442d2d - Fix typo and mention timeout. (7 months ago) <Fernando Perez>
|/  
* ba7184f - Make note for HPC users (7 months ago) <YuviPanda>
* 27b646b - (tag: v1.1) Bump version number (8 months ago) <YuviPanda>
* 3b2c203 - Tighten permissions on created git-credentials file (8 months ago) <YuviPanda>
* 6b1f503 - Add notes on alternatives considered (8 months ago) <YuviPanda>
* 5b33c75 - (tag: v1.0) Add vscode autoformat settings (8 months ago) <YuviPanda>
* 452d399 - Initial commit (8 months ago) <YuviPanda>
* c9e5780 - Initial commit (8 months ago) <Yuvi Panda>(base) ~/dev/jupyterhub/gh-scoped-creds (main)$ 

PR Summary

• The github secret PYPI_PASSWORD is added already, based on a deployment token for our PyPI bot account now with maintainer permissions for the associated PyPI project.
• Added a copy/pasted/tweaked RELEASE.md based on this workflow of relying on the github CI system to do upload to PyPI.

Related

It would be nice to retroactively add tags to the commits associated with the previous releases and push those before merging this to avoid triggering workflows that would try publish to PyPI. If that is done later, they won't override any PyPI release though because the upload command looks like this: twine upload --skip-existing dist/*

• #35

There are two times that the end user via a GitHub website, and I don't yet understand what roles they have etc. To understand that is quite relevant for anyone being an admin of a hub that provides this if the admin gets questions from users.

I don't clearly understand the parts here. I've typically been very afraid of whenever I've accepted "act on behalf of you". But, I guess perhaps it's just "act on behalf of me" with restricted permissions based on how the application is installed for various repos.

Task to complete

• [ ] Clarify the role of various steps taken somewhere in this project's documentation
• [ ] BONUS: Include some screenshots
• [ ] BONUS: Include references to verify what's said in official github documentation

Overview of procedure to understand better

Step 1 - An end-user installs the github application

This can be triggered by visiting https://github.com/apps/hub-jupytearth-org-github-integ.

Step 2 - An end-user authorize the application as initiated by github-app-auth-user CLI

This can be triggered by running github-app-auth-user, getting a device code, and opening https://github.com/login/device