Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: opt-in gh app integration #1217

Merged
merged 78 commits into from
Dec 19, 2024
Merged

feat: opt-in gh app integration #1217

merged 78 commits into from
Dec 19, 2024

Conversation

plyr4
Copy link
Contributor

@plyr4 plyr4 commented Oct 25, 2024

this PR adds opt-in GitHub App integrations to the server.

the main differences are:

  • integrate with an OAuth GitHub App by providing an app id and private key
  • use the GitHub App to generate the .netrc password for builds when the app is installed and it can access the repo
  • adds webhook handlers for GitHub App installation and installation_repositories events, and syncs existing repos when changes are made
  • adds Checks functionality, pulled from the original hackathon efforts feat: add github app #1070
    • pulled out this code, it will be a follow-up PR

New Flags

Key Description Default Value
VELA_SCM_APP_ID set to the App ID for the GitHub App N/A
VELA_SCM_APP_PRIVATE_KEY the string value for the GitHub App private key generated through GitHub N/A

Required GitHub App Configurations

Permissions

the GitHub App requires the following permissions at the very minimum:

  • contents:read
  • checks:write

builds would request write permissions through the git yaml block, see below.

Subscribed Events

  • Installation target

OAuth

the same configurations and oauth scopes should be assigned to the GitHub App, including:

  • oauth callback url set to /authenticate (like usual)
  • Webhook URL set to the base url (like usual)

New YAML block: git

integrating with a GitHub App allows the use of the git YAML block for customizing the permissions allocated to the netrc password embedded into Vela steps.

git:
  token:
    repositories:
      - foo/bar
      - helloworld
    permissions:
      contents: write
      checks: write

this lets users customize the list of repositories that the netrc password has access to, but that list is restricted to ONLY the repos that the GitHub App org installation has been given access to.

by default, the compiler will use the following configurations unless otherwise provided:

git:
  token:
    repositories:
      - VELA_BUILD_REPO
    permissions:
      contents: read
      checks: write

⚠️ Netrc Considerations

this WILL impact builds, check out the following list of things to consider when migrating to GitHub App

Cloning Private Repositories

Vela builds might lose the ability to read/write from certain private repos that the repo owner may have had access to due to the new restrictive policies set on the netrc token.

GitHub Apps do not support providing access to repos that are outside the installation org. meaning, for a Vela build to access private repos, Go modules, etc, that are outside of the repo's org then the build author must provide override the clone step and use an alternative authentication method like a PAT

⚠️ OAuth Considerations

For this release, we recommend using a combination of both an OAuth app and a GitHub App with Authorization disabled.
The rest of the code base is not prepared to require user App installations, see the below examples for why.

Enabling Private Repositories (/source/repos)

Vela users will lose the ability to enable private repositories unless the GitHub App is installed to their personal account. this is due to changes to the default permissions when using a GitHub App as an OAuth provider.
see: https://docs.github.com/en/enterprise-server@3.13/apps/using-github-apps/authorizing-github-apps#difference-between-authorization-and-installation

scm/service.go Outdated Show resolved Hide resolved
scm/service.go Outdated Show resolved Hide resolved
scm/github/repo.go Outdated Show resolved Hide resolved
scm/github/repo.go Show resolved Hide resolved
api/repo/repair.go Show resolved Hide resolved
database/build/last_repo_test.go Outdated Show resolved Hide resolved
scm/github/app_install.go Show resolved Hide resolved
plyr4 and others added 9 commits November 12, 2024 08:55
Co-authored-by: Easton Crupper <65553218+ecrupper@users.noreply.github.com>
Co-authored-by: Easton Crupper <65553218+ecrupper@users.noreply.github.com>
Co-authored-by: Easton Crupper <65553218+ecrupper@users.noreply.github.com>
wass3rw3rk
wass3rw3rk previously approved these changes Dec 18, 2024
Copy link
Member

@wass3rw3rk wass3rw3rk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super minor stuff; tested functionally and works in both modes as advertised. non-breaking change until you enable app integration. nice work.

EnvVars: []string{"VELA_SCM_APP_PRIVATE_KEY", "SCM_APP_PRIVATE_KEY"},
FilePath: "/vela/scm/app_private_key",
Name: "scm.app.private_key",
Usage: "set value of base64 encoded SCM App integration (GitHub App) private key",
Copy link
Member

@wass3rw3rk wass3rw3rk Dec 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe support both. i know some envs prefer no file access and this would be the first item in the config that does, afaik. i'm ok leaving it as-is and bake in file support in separate PR.

scm/github/github_client.go Show resolved Hide resolved
@plyr4 plyr4 merged commit f6dd71e into main Dec 19, 2024
14 of 16 checks passed
@plyr4 plyr4 deleted the feat/gh-app branch December 19, 2024 17:05
timhuynh94 pushed a commit that referenced this pull request Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants