-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: opt-in gh app integration #1217
Conversation
Co-authored-by: Easton Crupper <65553218+ecrupper@users.noreply.github.com>
Co-authored-by: Easton Crupper <65553218+ecrupper@users.noreply.github.com>
Co-authored-by: Easton Crupper <65553218+ecrupper@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
super minor stuff; tested functionally and works in both modes as advertised. non-breaking change until you enable app integration. nice work.
EnvVars: []string{"VELA_SCM_APP_PRIVATE_KEY", "SCM_APP_PRIVATE_KEY"}, | ||
FilePath: "/vela/scm/app_private_key", | ||
Name: "scm.app.private_key", | ||
Usage: "set value of base64 encoded SCM App integration (GitHub App) private key", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe support both. i know some envs prefer no file access and this would be the first item in the config that does, afaik. i'm ok leaving it as-is and bake in file support in separate PR.
this PR adds opt-in GitHub App integrations to the server.
the main differences are:
.netrc
password for builds when the app is installed and it can access the repoadds Checks functionality, pulled from the original hackathon efforts feat: add github app #1070New Flags
VELA_SCM_APP_ID
N/A
VELA_SCM_APP_PRIVATE_KEY
N/A
Required GitHub App Configurations
Permissions
the GitHub App requires the following permissions at the very minimum:
contents:read
checks:write
builds would request write permissions through the
git
yaml block, see below.Subscribed Events
OAuth
the same configurations and oauth scopes should be assigned to the GitHub App, including:
oauth callback url
set to/authenticate
(like usual)Webhook URL
set to the base url (like usual)New YAML block:
git
integrating with a GitHub App allows the use of the
git
YAML block for customizing the permissions allocated to the netrc password embedded into Vela steps.this lets users customize the list of repositories that the
netrc
password has access to, but that list is restricted to ONLY the repos that the GitHub App org installation has been given access to.by default, the compiler will use the following configurations unless otherwise provided:
this WILL impact builds, check out the following list of things to consider when migrating to GitHub App
Cloning Private Repositories
Vela builds might lose the ability to read/write from certain private repos that the repo owner may have had access to due to the new restrictive policies set on the
netrc
token.GitHub Apps do not support providing access to repos that are outside the installation org. meaning, for a Vela build to access private repos, Go modules, etc, that are outside of the repo's org then the build author must provide override the
clone
step and use an alternative authentication method like a PATFor this release, we recommend using a combination of both an OAuth app and a GitHub App with Authorization disabled.
The rest of the code base is not prepared to require user App installations, see the below examples for why.
Enabling Private Repositories (/source/repos)
Vela users will lose the ability to enable private repositories unless the GitHub App is installed to their personal account. this is due to changes to the default permissions when using a GitHub App as an OAuth provider.
see: https://docs.github.com/en/enterprise-server@3.13/apps/using-github-apps/authorizing-github-apps#difference-between-authorization-and-installation