Move TD/SA apps to low privilege account

[chadwhitacre]

This is an action item out of the security review for #37.

[chadwhitacre]

From Jira:

Both apps are connected to my personal account (private links for my reference: TD, SA) in order to:

• Verify my GitHub identity
• Know what resources I can access
• Act on my behalf
• View my email addresses

The “Act on your behalf” is scary. Fortunately, it is limited by the app permissions specified:

• StackAid requires “Read access to code, members, and metadata.”
• Thanks.dev requires “Read access to code and metadata.“

It is also limited to the repos that the app is installed on. Both are installed on our Tier 1 repos (all public) + one more (sentry-go).

[chadwhitacre]

If I revoke access to my personal account, will the org install still work? 🤔

---

---

[chadwhitacre]

I've created @getsentry-funding and have an IT ticket in to provision an email account so I can SAML with this account. Needed to join the org.

There was an issue joining the organization: Your GitHub user account @getsentry-funding is currently unlinked. However, you are attempting to authenticate with your Identity Provider using the 'bot@sentry.io' SAML identity which is already linked to a different GitHub user account in the organization. Please reach out to one of your GitHub organization owners for assistance.

[chadwhitacre]

I don't actually understand the relationship between the app install on the org and the app connection to my personal account. I suppose the latter is used to login on https://www.stackaid.us/. But if I revoke that, what happens to the org install?

When authorized, the GitHub App will be able to programmatically read the private GitHub resources that you can access (such as private GitHub repositories) where an installation of the GitHub App is also present.

https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/authorizing-github-apps

[chadwhitacre]

Act on your behalf
The application may need to perform tasks on GitHub, as you. This might include creating an issue, or commenting on a pull request. This ability to act on your behalf is limited to the GitHub resources where both you and the GitHub App have access. In some cases, however, the application may never make any changes on your behalf.

[chadwhitacre]

I've revoked access to my personal account for both apps. Both are still installed on the getsentry org. Once SAML is provisioned for @getsentry-funding I'll auth with both apps and have them manually relink our subscriptions with the new account.

[chadwhitacre]

Currently blocking on IT provisioning an email address for @getsentry-funding.

[chadwhitacre]

Account provisioned, I've gained access to Gmail and GitHub. Now waiting to be provisioned in GitHub via Okta.

[chadwhitacre]

Provisioned in GitHub. Ready to finalize.

[chadwhitacre]

Need to recover access to bots, lost in the move to Okta for GH.

[chadwhitacre]

Recovered bot access, reached out to SA and TD to switch our account with them over to @getsentry-funding.

[chadwhitacre]

TD done. 💃

[chadwhitacre]

SA done! 💃