[Request for Community Certification] CyberArk Conjur Secret Fetcher

[infamousjoeg]

Request for a new public Conjur project in CyberArk GitHub

Current project source: https://github.com/infamousjoeg/conjur-action/tree/conjur-community

Current maintainer: Joe Garcia, @infamousjoeg

Desired project URL: https://github.com/infamousjoeg/conjur-action

Brief description of project: GitHub Action available on GitHub Marketplace for secure secrets delivery to your workflow test environment using CyberArk Conjur.

Anticipated certification level: Community

[izgeri]

Hey @infamousjoeg! Sorry it's taken me a few days to look at this. It looks like you're hoping to keep the project in your own GitHub, and this process is really intended for software that's contributed to the CyberArk GitHub.

What do you view as the downside of contributing your project? If there are any questions I can help answer, I'd be happy to do so. It may help to know that you would remain the owner-maintainer of the project even after it's migrated.

If you'd like to keep your project in your own GitHub, that's fine - and you can still share it in Discourse and promote it there. But we'd ask you to remove the certification level badge, as it hasn't gone through our community contribution process.

Please let me know how you'd like to move forward.

[infamousjoeg]

Thanks @izgeri. My concern with moving it to the cyberark org is that it would break the GitHub Marketplace integration that currently has this action listed on it.

I cannot find validation anywhere in GitHub's help documents that assures me moving the repository (or transferring it) would keep that intact.

If there was positive confirmation that we can transfer the repository while still keeping it in the GitHub Marketplace, I would be open to it being contributed.

[boazmichaely]

@infamousjoeg can you share a link where this shows in the Gitub marketplace?
Also how difficult was it to get it listed? Would it be too much work to replace the private one with a CyberArk based one if it cannot simply be transferred?

[izgeri]

@infamousjoeg that makes me even more excited about migrating your work, because it's an opportunity to have an official CyberArk listing of this action in the marketplace. We can work with you / GitHub to make sure that this process is smooth - I'm tagging in @cyberark/conjur-infra-team in case they might have any additional info / ideas.

[infamousjoeg]

@boazmichaely you can find it here: https://github.com/marketplace/actions/cyberark-conjur-secret-fetcher

It wasn't difficult to get listed. The thing about GitHub Actions is that they're referenced in Workflows at their repository they entered the Marketplace at...

So if someone is using my Action, it will break once it's transferred because the action they reference will no longer exist.

As you can see in the README Example of the repository, any users using my action will break since it will become cyberark/conjur-action instead of being infamousjoeg/conjur-action.

If we can figure out a way to seamlessly transition those users, it would be awesome. Unfortunately, GitHub doesn't provide metrics or "Insights" into Marketplace downloads, however there is a fork and branch by the org whitesource on my repo, so it may be in use with them.

[infamousjoeg]

Looks like possibly @CarMax too:

[boazmichaely]

Does it make sense to make a new one, enlist it in the market place, and while leaving the old one active, add language that points to the new one and says it is (or will be) deprecated ?

[infamousjoeg]

In all honesty after thinking about it more, I think ripping the bandage off now and dealing with the wound is the best approach. Right now there's less than a handful potentially using it. If it gets any more popular, which I don't see happening without @cyberark org backing, but we can really market this if it was accepted by @cyberark.

@izgeri Can we discuss a possible upgrade from community to trusted or otherwise, if this is the case? I'd like to shoot for the highest available community certification level, if possible. Please let me know what I need to do to make this happen and I can focus on completing it on the conjur-community branch.

[izgeri]

Thanks @infamousjoeg! Let's work on getting it migrated first. We can advise you on deprecating your existing project in favor of the new one once we've migrated - I agree with @boazmichaely that that's a healthy path. If we do a good job of informing users about this, they'll want to use the cyberark version because it will continue to be updated and supported, whereas once yours has been deprecated there will be no more changes going forward.

I'll be in touch next week with more info and next steps!

[garymoon]

FYI Joe's version is mentioned in this blog post.

[infamousjoeg]

FYI Joe's version is mentioned in this blog post.

Whaaaaaaaaat?! Yes!

[izgeri]

@infamousjoeg I've created a repo for your migrated project here: https://github.com/cyberark/conjur-action. It's not public, but you should have access.

Usually for pre-existing projects there's some cleanup work that needs to be done to get the project ready to migrate, like changing references to the repo URL, etc. You may find it easiest to do this on a branch of your project (infamousjoeg/conjur-action) and then submit a PR to the cyberark/conjur-action project. Once you open it, the first PR will include a checklist in its description of the things you need to verify before we can make the repo public. Work through the checklist, and when you're ready tag me for a review. Once everything is all set, we'll merge in your migrated code and flip the repo to public.

Please let me know if you have any questions along the way!