Merge branch 'main' into feature/gerrit-authentication

Author: zuharz

CHANGELOG.md

@@ -7,8 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [4.5.2] - 2025-07-19
+
 ### Changed
 - Fixed typos in UI, docs, code [#369](https://github.com/sourcebot-dev/sourcebot/pull/369)
+- Add anonymous access option to core and deprecate the `enablePublicAccess` config setting. [#385](https://github.com/sourcebot-dev/sourcebot/pull/385)
 
 ## [4.5.1] - 2025-07-14
 

demo-site-config.json

@@ -238,7 +238,6 @@
         }
     },
     "settings": {
-        "reindexIntervalMs": 86400000, // 24 hours
-        "enablePublicAccess": true
+        "reindexIntervalMs": 86400000 // 24 hours
     }
 }

docs/docs.json

@@ -73,7 +73,7 @@
                                 "pages": [
                                     "docs/configuration/auth/overview",
                                     "docs/configuration/auth/providers",
-                                    "docs/configuration/auth/inviting-members",
+                                    "docs/configuration/auth/access-settings",
                                     "docs/configuration/auth/roles-and-permissions",
                                     "docs/configuration/auth/faq"
                                 ]

docs/docs/configuration/auth/access-settings.mdx

@@ -0,0 +1,40 @@
+---
+title: Access Settings
+sidebarTitle: Access settings
+---
+
+There are various settings to control how users access your Sourcebot deployment.
+
+# Anonymous access
+
+<Note>Anonymous access cannot be enabled if you have an enterprise license. If you have any questions about this restriction [reach out to us](https://www.sourcebot.dev/contact).</Note>
+
+By default, your Sourcebot deployment is gated with a login page. If you'd like users to access the deployment anonymously, you can enable anonymous access. 
+
+This can be enabled by navigating to **Settings -> Access** or by setting the `FORCE_ENABLE_ANONYMOUS_ACCESS` environment variable.
+
+When accessing Sourcebot anonymously, a user's permissions are limited to that of the  [Guest](/docs/configuration/auth/roles-and-permissions) role.
+
+# Member Approval 
+
+By default, Sourcebot requires new members to be approved by the owner of the deployment. This section explains how approvals work and how
+to configure this behavior.
+
+### Configuration
+Member approval can be configured by the owner of the deployment by navigating to **Settings -> Members**:
+
+![Member Approval Toggle](/images/member_approval_toggle.png)
+
+### Managing Requests
+
+If member approval is enabled, new members will be asked to submit a join request after signing up. They will not have access to the Sourcebot deployment
+until this request is approved by the owner.
+
+The owner can see and manage all pending join requests by navigating to **Settings -> Members**.
+
+## Invite link
+
+If member approval is required, an owner of the deployment can enable an invite link. When enabled, users
+can use this invite link to register and be automatically added to the organization without approval:
+
+![Invite Link Toggle](/images/invite_link_toggle.png)

docs/docs/configuration/auth/inviting-members.mdx

@@ -10,4 +10,5 @@ Each member has a role which defines their permissions within an organization:
 | Role | Permission |
 | :--- | :--------- |
 | `Owner` | Each organization has a single `Owner`. This user has full access rights, including: connection management, organization management, and inviting new members. |
-| `Member` | Read-only access to the organization. A `Member` can search across the repos indexed by an organization's connections, but may not manage the organization or its connections. |
+| `Member` | Read-only access to the organization. A `Member` can search across the repos indexed by an organization's connections, as well as view the organizations configuration and member list. However, they cannot modify this configuration or invite new members. |
+| `Guest` | When accessing Sourcebot [anonymously](/docs/configuration/auth/access-settings#anonymous-access), a user has the `Guest` role. `Guest`'s can search across repos indexed by an organization's connections, but cannot view any information regarding the organizations configuration or members. |

docs/docs/configuration/auth/roles-and-permissions.mdx

@@ -21,6 +21,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `DATABASE_DATA_DIR` | `$DATA_CACHE_DIR/db` | <p>The data directory for the default Postgres database.</p> |
 | `DATABASE_URL` | `postgresql://postgres@ localhost:5432/sourcebot` | <p>Connection string of your Postgres database. By default, a Postgres database is automatically provisioned at startup within the container.</p><p>If you'd like to use a non-default schema, you can provide it as a parameter in the database url </p> |
 | `EMAIL_FROM_ADDRESS` | `-` | <p>The email address that transactional emails will be sent from. See [this doc](/docs/configuration/transactional-emails) for more info.</p> | 
+| `FORCE_ENABLE_ANONYMOUS_ACCESS` | `false` | <p>When enabled, [anonymous access](/docs/configuration/auth/access-settings#anonymous-access) to the organization will always be enabled</p>
 | `REDIS_DATA_DIR` | `$DATA_CACHE_DIR/redis` | <p>The data directory for the default Redis instance.</p> |
 | `REDIS_URL` | `redis://localhost:6379` | <p>Connection string of your Redis instance. By default, a Redis database is automatically provisioned at startup within the container.</p> |
 | `REDIS_REMOVE_ON_COMPLETE` | `0` | <p>Controls how many completed jobs are allowed to remain in Redis queues</p> |

docs/docs/configuration/environment-variables.mdx

@@ -104,11 +104,29 @@ Sourcebot can sync code from GitHub.com, GitHub Enterprise Server, and GitHub En
 
 ## Authenticating with GitHub
 
-In order to index private repositories, you'll need to generate a GitHub Personal Access Token (PAT). Create a new PAT [here](https://github.com/settings/tokens/new) and make sure you select the `repo` scope:
+In order to index private repositories, you'll need to generate a access token and provide it to Sourcebot. GitHub provides [two types](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#types-of-personal-access-tokens) of access tokens:
 
-![GitHub PAT Scope](/images/github_pat_scopes.png)
 
-Next, provide the PAT via the `token` property, either as an environment variable or a secret:
+<AccordionGroup>
+    <Accordion title="Fine-grained personal access tokens" defaultOpen>
+        Create a new fine-grained PAT [here](https://github.com/settings/personal-access-tokens/new). First, select the resource owner and the repositories that you want Sourcebot to have access to.
+
+        Next, under "Repository permissions", select permissions `Contents` and `Metadata` with access `Read-only`. The permissions should look like the following:
+
+        ![GitHub PAT Scope](/images/github_pat_scopes_fine_grained.png)
+
+        [GitHub docs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens)
+    </Accordion>
+    <Accordion title="Personal access tokens (classic)">
+        Create a new PAT [here](https://github.com/settings/tokens/new) and make sure you select the `repo` scope:
+        
+        ![GitHub PAT Scope](/images/github_pat_scopes.png)
+
+        [GitHub docs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#personal-access-tokens-classic)
+    </Accordion>
+</AccordionGroup>
+
+Next, provide the access token via the `token` property, either as an environment variable or a secret:
 
 <Tabs>
     <Tab title="Environment Variable">

docs/docs/connections/github.mdx

@@ -7,23 +7,6 @@ import SupportedPlatforms from '/snippets/platform-support.mdx'
 The following guide will walk you through the steps to deploy Sourcebot on your own infrastructure. Sourcebot is distributed as a [single docker container](/docs/overview#architecture) that can be deployed to a k8s cluster, a VM, or any platform that supports docker.
 
 
-## Walkthrough video
----
-
-Watch this quick walkthrough video to learn how to deploy Sourcebot using Docker.
-
-<iframe
-    src="https://youtube.com/embed/TPQh0z7Qcjg"
-    title="YouTube video player"
-    frameborder="0"
-    allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
-    allowfullscreen
-    className="aspect-video w-full"
-></iframe>
-
-## Step-by-step guide
----
-
 <Note>Hit an issue? Please let us know on [GitHub discussions](https://github.com/sourcebot-dev/sourcebot/discussions/categories/support) or by [emailing us](mailto:[email protected]).</Note>
 
 <Steps>