Skip to content

docs(security): per-repo product enablement is repository write level#11827

Merged
mergify[bot] merged 1 commit into
mainfrom
devs/sileht/fix-security-docs-product-enablement-permissions/per-repo-product-enablement-repo-write-level--90961aa4
Jun 15, 2026
Merged

docs(security): per-repo product enablement is repository write level#11827
mergify[bot] merged 1 commit into
mainfrom
devs/sileht/fix-security-docs-product-enablement-permissions/per-repo-product-enablement-repo-write-level--90961aa4

Conversation

@sileht

@sileht sileht commented Jun 14, 2026

Copy link
Copy Markdown
Member

Per-repository product enablement, including activating CI Insights, is
enforced at repository WRITE level via PUT /v1/products/{owner}/{repository}.
Only the org-level default-products configuration requires Integrations Admin.

Correct the security page so the documented model matches enforcement:

  • Features Permissions: "Activate CI Insights on a repository" is write-level,
    not Owner-only.
  • Delegated Roles: Integrations Admin grants org-level default products and
    third-party integrations, not per-repo product enablement; drop "activate
    CI Insights" from CI Admin since per-repo activation is write-level, not a
    delegated owner power.
  • Tighten the Delegated Roles intro so its examples reference org-level
    operations only.

Surfaced by HackerOne #3801915: a write collaborator activated CI Insights
and the reporter cited these rows as the owner-only boundary. The docs were
wrong; the access-control behavior is correct.

Fixes MRGFY-7644

Co-Authored-By: Claude Opus 4.8 (1M context) noreply@anthropic.com

@sileht @claude
docs(security): per-repo product enablement is repository write level
4c0ee64 
Per-repository product enablement, including activating CI Insights, is
enforced at repository WRITE level via PUT /v1/products/{owner}/{repository}.
Only the org-level default-products configuration requires Integrations Admin.

Correct the security page so the documented model matches enforcement:
- Features Permissions: "Activate CI Insights on a repository" is write-level,
  not Owner-only.
- Delegated Roles: Integrations Admin grants org-level default products and
  third-party integrations, not per-repo product enablement; drop "activate
  CI Insights" from CI Admin since per-repo activation is write-level, not a
  delegated owner power.
- Tighten the Delegated Roles intro so its examples reference org-level
  operations only.

Surfaced by HackerOne #3801915: a write collaborator activated CI Insights
and the reporter cited these rows as the owner-only boundary. The docs were
wrong; the access-control behavior is correct.

Fixes MRGFY-7644

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Change-Id: I90961aa435b34f468fec7921b6664bee5199e832
Copilot AI review requested due to automatic review settings June 14, 2026 16:17
@mergify mergify Bot deployed to Mergify Merge Protections June 14, 2026 16:17 Active
Copilot AI reviewed Jun 14, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@mergify

mergify Bot commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 🤖 Continuous Integration

Wonderful, this rule succeeded.
  • all of:
    • check-success = build
    • check-success = lint
    • check-success = test
    • any of:
      • check-success = test-broken-links
      • label = ignore-broken-links
    • any of:
      • check-success=Cloudflare Pages
      • -head-repo-full-name~=^Mergifyio/

🟢 👀 Review Requirements

Wonderful, this rule succeeded.
  • any of:
    • #approved-reviews-by >= 2
    • author = dependabot[bot]
    • author = mergify-ci-bot

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:

🟢 🔎 Reviews

Wonderful, this rule succeeded.
  • #changes-requested-reviews-by = 0
  • #review-requested = 0
  • #review-threads-unresolved = 0

🟢 📕 PR description

Wonderful, this rule succeeded.
  • body ~= (?ms:.{48,})

@mergify mergify Bot requested a review from a team June 14, 2026 16:20
@sileht sileht marked this pull request as ready for review June 14, 2026 16:35
@mergify mergify Bot requested a review from a team June 15, 2026 07:26
@mergify

mergify Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Merge Queue Status

Queued — the merge queue status continues in this comment ↓.

@mergify

mergify Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Merge Queue Status

This pull request spent 2 minutes 33 seconds in the queue, including 2 minutes 9 seconds running CI.

Required conditions to merge

mergify Bot added a commit that referenced this pull request Jun 15, 2026
@mergify
Merge of #11827
a5cc0ad
@mergify mergify Bot added the queued label Jun 15, 2026
@mergify mergify Bot mentioned this pull request Jun 15, 2026
Closed
51 tasks
@mergify mergify Bot merged commit 1f53bcd into main Jun 15, 2026
8 checks passed
@mergify mergify Bot deleted the devs/sileht/fix-security-docs-product-enablement-permissions/per-repo-product-enablement-repo-write-level--90961aa4 branch June 15, 2026 07:58
@mergify mergify Bot removed the queued label Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kozlek kozlek kozlek approved these changes

@remyduthu remyduthu remyduthu approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sileht @kozlek @remyduthu