* Changes for simple container
Makefile changes:
- 'build' target now builds simple container
- 'build-old' target builds the old repo2docker way
- 'debug-build' for docker build issues
- docker image tag includes git ref & date stamp
Dockerfile changes:
- pass hadolint
- change permissions to allow notebook signing for trust
- update user name for new base image
set_secrets_in_env.sh changes:
- support '--develop' option to set bogus values for testing jupyter
& notebook parts
* Update Notebook so signing works
Somewhere along the line, jupyter changed to needing an 'id' property
per cell for proper signing, without changing the ipynb version number.
Fix is to use `nbconvert --to ipynb` to rewrite file.
* Build Environment Hygene
- Update versions of pre-commit
- updated hadolint config
- Make things more normal
- stop using port 10001
- add '--unset' option for testing
- Cleaned up Dockerfile
- Cleaned up Makefile
- removed method for older image build method
- updated documenation for new image build process
- removed no-longer-needed binder config files
* Fix bug with eliminating first name from ACL search
Co-authored-by: Hal Wine <hal@dtor.com>
* a verified_github_login should suppress warning
We'd output a warning based on "no access" for certain departments. If
we have a verified GitHub login, we can safely assume that no access
means someone already removed it.
* Allow credentials to be preset in environment
Crawl all repos looking for potential ACL in config files.
This approach has a lot of false positives, and the results need to be interpreted by someone with domain knowledge.
The "final output" is in CSV format -- by copy/paste into gSheets, a more reviewable view can be constructed.
There are heuristic ignore lists for orgs, repos, and paths-in-any-repo to be excluded to improve run time. This process makes heavy use of the search API, which has a very low quota that resets every minute. Expect to see many "waiting for quoto" interim messages.
Other work:
* Fix pre-commit python version for nb-ensure-clean. nb-ensure-clean requires python 3.6. A method in base64 is no longer supported in python 3.9
There were a few problems that were masked by missing conda/jupyter
config files. Those are added now. They would be "fixed" in my working
instances when using `make run-update` as the configuration changes were
saved in my local directory for use next time. This caused "good" images
to only be buildable from my working directory, and not from others.
Rearranged some conda & jupyter config files to unclutter root dir.
- `repo2docker` config files are now in directory `binder` (name
forced by tool)
- Notebook moved to directory `notebooks`, which is the root of the
jupyter server started by the instance.
Requirements file was out of date -- so let's force folks to use poetry.
:)
* Install pre-commit & initial run
* Add targets for repo2docker usage
* Switch to ipywidgets data entry for email
This change minimizes the chance of committing the notebook with PII
in it.
This moves the entered text to an "output" section of the cell,
which must be removed before commit (enforced by pre-commit
filters).
It also makes the workbook easier to use, as you no longer have to
worry about messing up the python string formatting.
* Improved limit exhaustion reporting
* working using docker
* Combine phrases into paired tokens
No GitHub login has embedded spaces. So don't try to find one (404
error). Create possible logins by concatinating the tokens.
* Working with extensions installed.
* Update jupyter notebook
misc fixes
* update docs
* Install of all needed extensions now works
* Purge docker images that are being replaced.
* General cleanup
- formatting much cleaner now, so can copy/paste to email
- addressed several unicode issues - text output would throw
- reorganized cell hierarchy for shorter scrolling
* Fix detecting if any permissions found
The old test (# lines returned) became invalid when the report
formatting was done. All positive hits now contain "FOUND!". Absense
of that token mean no matches.
* Updated tests & orgs
* Tune cache sizes
Also added some cells to debug cache issues. They must be manually
run.
* team_update.py creates team if needed
* some cleanup highlighted by vs-code
* Support for reading EML file added.
* Added CIS lookup of verified GitHub login
* Update README
* wip - now building with all extensions operable
Needed to pin the conda environments by exporting environment from
working image, then using that to recreate what we need after
repo2docker does the framework.
* Commit conda envronment files
* Tweaks for fully functioning docker build
* Update to work on GitHub3.py v1.3.0
A few API changes, all run now (there may be some issues with scripts
that make permanent changes, as I didn't execute those parts).
* Works with jupyter notebooks!
Full support isn't there yet, but there are no major errors.
Fixes GH-57
Invitations can also be extended to outside collaborators at the
repository level. These changes extend the existing code to poll for all
such invitations (each repository in the organization must be
interrogated).
There seem to be a number of details about an org that are of occasional
interest. This prints the publically available info, and whatever
private info the user has rights to see.
Uses selenium to drive an instance of firefox to log into GitHub and
download the audit log in JSON format. See README.md for dependencies.
And update license reference.
Added to README, and defaults to python2 (like the rest of the scripts
in this repo).
Added github_selenium to requirements.txt, and made lfs.py
executable.
Teams are useful for communication, either via team mentions in issues,
or using the GitHub discussion feature. Currently supported team names
are:
admin-all-org-owners
admin-all-org-members
We no longer need to manipulate teams for 2FA reasons, so rename and
modify to support admin team updates.
2FA enforcement is now configurable for organizations on GitHub. Leave
the monitoring script, as this is useful when preparing to make an
organization 2FA required.
The script will notify members out of compliance, and give them X days
(script executions) to comply before having their organization
membership revoked. 'X' is configurable by the number of teams created
following the pattern.
Script requires permissions for 'admin:org' and 'repo' (if your
communication repository is private).
Hal Wine
Hal Wine
Giorgos Logiotatidis
Fred Wenzel
Fred Wenzel
groovecoder