Allow non-Owners to publish Orbs (aka granular permissions for orb publishing) | Orbs

Allow non-Owners to publish Orbs (aka granular permissions for orb publishing)

Eddie

Could be a project level API key with publishing permissions, or use team membership like contexts do. Some means to expand the population of folks who can deploy prod versions of orbs without giving them global admin rights in GH.

CCI-I-1108

July 30, 2019

Oran Bartell

marked this post as

open

This feature continues to be top of mind but has not found a home on our roadmap for now.

Thomas Skjølberg

My team wanted to contribute to the platform by making an orb. But none of the github owners would let us keep their token in a circleci context for publishing orb releases. So we're stuck with a manual process; kind of ironic for a tool which claims to automate the pipeline.

As a paying customer which wasted a lot of time on the latest security breach, the lack of progress on this task is painful to observe.

Benoit Tigeot

With the recent leak, this kind of request is more than needed.

Nathan Fish

Merged in a post:

Restrict context to publishing orb for devs only

Cyril Moreau

Currently, only users with Admin level access can publish orbs, so any user whose API token allows them to publish orbs will be able to perform other "admin" operations.

It would help to be able to restrict the context used for orb publishing to be restricted to the orb publishing job etc.

July 18, 2022

November 30, 2022

Nathan Fish

marked this post as

under review

Oran Bartell

marked this post as

open

Hi folks! We're not able to put a timeline on this feature for now. I'm moving the status back to "Open" for future review.

Jeff Hall

This would be super useful. It's really important to us to keep our GH admin group small and only allowing admins to publish orbs is a pretty big blocker to private orbs and code reuse within our org.

Oran Bartell

marked this post as

under review

This feature is being considered for Q3/Q4 of this year.

Oran Bartell

Merged in a post:

Permit non-admins to publish unlisted orbs

Alex Turek

Right now we have our orbs repo set up to auto-publish after a successful master build. But the only people who can do that are CircleCI admins, who are of necessity Github org admins. This means we have to give GH admin to every dev who is working on our (private, internal to the company) orbs.
It'd be great to not have to grant that permission, or bottleneck on our few Github admins to update our internal orbs.
CCI-I-1398

February 27, 2020

November 23, 2021

Kristofer Borgstrom

Really hoping for a solution ASAP. Obviously making every developer and bot a github organization owner is not a feasible solution as it would completely destroy the whole access control setup. Thus killing off options of automated releases and developers handling publishing.

→