-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: opt-in gh app integration #1217
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1217 +/- ##
==========================================
- Coverage 56.87% 56.50% -0.38%
==========================================
Files 599 605 +6
Lines 32869 33617 +748
==========================================
+ Hits 18695 18995 +300
- Misses 13538 13971 +433
- Partials 636 651 +15
|
I think I know the answer, but just to confirm: if I install the GitHub app on both the foo and bar organizations and run a build within a repo in the foo org, does that mean I won’t be able to clone a repo from the bar org, even if I specify |
that's correct, org installations are scoped to repos in that org, unfortunately. its extremely similar to fine-grained access tokens (the beta PATs). the workaround is to supply a github classic PAT created by a user with access to all the things |
EnvVars: []string{"VELA_SCM_APP_PRIVATE_KEY", "SCM_APP_PRIVATE_KEY"}, | ||
FilePath: "/vela/scm/app_private_key", | ||
Name: "scm.app.private_key", | ||
Usage: "set value of base64 encoded SCM App integration (GitHub App) private key", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that is definitely more standard
Co-authored-by: Easton Crupper <[email protected]>
Co-authored-by: Easton Crupper <[email protected]>
Co-authored-by: Easton Crupper <[email protected]>
this PR adds opt-in GitHub App integrations to the server.
the main differences are:
.netrc
password for builds when the app is installed and it can access the repoadds Checks functionality, pulled from the original hackathon efforts feat: add github app #1070New Flags
VELA_SCM_APP_ID
N/A
VELA_SCM_APP_PRIVATE_KEY
N/A
Required GitHub App Configurations
Permissions
the GitHub App requires the following permissions at the very minimum:
contents:read
checks:write
builds would request write permissions through the
git
yaml block, see below.Subscribed Events
OAuth
the same configurations and oauth scopes should be assigned to the GitHub App, including:
oauth callback url
set to/authenticate
(like usual)Webhook URL
set to the base url (like usual)New YAML block:
git
integrating with a GitHub App allows the use of the
git
YAML block for customizing the permissions allocated to the netrc password embedded into Vela steps.this lets users customize the list of repositories that the
netrc
password has access to, but that list is restricted to ONLY the repos that the GitHub App org installation has been given access to.by default, the compiler will use the following configurations unless otherwise provided:
this WILL impact builds, check out the following list of things to consider when migrating to GitHub App
Cloning Private Repositories
Vela builds might lose the ability to read/write from certain private repos that the repo owner may have had access to due to the new restrictive policies set on the
netrc
token.GitHub Apps do not support providing access to repos that are outside the installation org. meaning, for a Vela build to access private repos, Go modules, etc, that are outside of the repo's org then the build author must provide override the
clone
step and use an alternative authentication method like a PATFor this release, we recommend using a combination of both an OAuth app and a GitHub App with Authorization disabled.
The rest of the code base is not prepared to require user App installations, see the below examples for why.
Enabling Private Repositories (/source/repos)
Vela users will lose the ability to enable private repositories unless the GitHub App is installed to their personal account. this is due to changes to the default permissions when using a GitHub App as an OAuth provider.
see: https://docs.github.com/en/[email protected]/apps/using-github-apps/authorizing-github-apps#difference-between-authorization-and-installation