This query relates to the OAuth integration between Drone and Gitea.
When a user logs into Drone they are prompted to authorise access via the standard OAuth exchange.
When drone executes pipelines for activated Gitea repositories it injects the OAuth token into each container (~/.netrc). This is how an alpine/git container is able to interact with the repository.
I’m wondering whether this token should be exposed to the pipeline containers? The token provides access to all the originating user’s repositories on Gitea. This may be useful if one is cloning other repositories during a build pipeline, but it could also be misused to access other private repositories.
For example, Alice has access to repositories A, B, C. Bob only has access to repository A. If the Drone pipeline is activated under Alices account, then Bob could manipulate the build pipeline for A to extract repositories B & C.
Is there any way to limit the scope of the OAuth token to just the repostitory being processed? I suspect that this would require a modification to both Drone and Gitea, but I’m hoping that I’ve missed something.
Alternatively, is it possible to run a pipeline in a mode where the clone happens (presumably with fetches against branches/tags for semantic processing) and then .netrc withheld from subsequent containers?