as security is ongoing and ever-present, we are also trying to weave everything into our build-process and tighten loose ends a bit.
Here’s what I’d like to do: Only allow our build infrastructure / API user to release new Marketplace versions, to avoid a breach where an employee is compromised and can release fraudulent updates (which on Jira Server basically equal to root access on the underlying system).
Currently, though, permissons do not seem to allow this:
My best guess what releasing new updates includes would be “Manage app details”? Unfortunately this also includes something like fixing spelling mistakes in the Marketplace listing, which is part of our business team, so that’s really bad to cluster this under one permission. Any idea?