Skip to content

Conversation

savitaashture
Copy link
Member

No description provided.

@savitaashture savitaashture force-pushed the scope_token_to_repolist branch from e8d91aa to 8c44558 Compare April 17, 2023 08:08
@savitaashture
Copy link
Member Author

cc @chmouel

@savitaashture savitaashture force-pushed the scope_token_to_repolist branch from 8c44558 to 6a25148 Compare April 17, 2023 08:35
@savitaashture savitaashture force-pushed the scope_token_to_repolist branch from 6a25148 to dbd194e Compare April 18, 2023 11:41

## Motivation/UseCase

Their is a use case where CI Repos Differ from CD Repos, and the teams would like the generated GitHub Token from Pipelines As Code to allow control over these secondary repos, even if they were not the one triggering the pipeline.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's a CI/CD use case but yeah.


* The configuration exist in `pipelines-as-code` configmap.

* The key which used to have list of Repos is `secret-github-app-scope-extra-repos`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe add that the github app was installed for those repos.


### Scoping GH token to a list of Repos provided by Repository level configuration

* Scope token to a list of Repos provided by `repo_list_to_scope_token` spec configuration within the Repository custom resource
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe i would called it scopped_token_repos for the option

failed to scope token to repositories in namespace article-pipelines with error : could not refresh installation id 36523992's token: received non 2xx response status \"422 Unprocessable Entity\" when fetching https://api.github.com/app/installations/36523992/access_tokens: Post \"https://api.github.com/repos/savitaashture/article/check-runs\
```

5. If repos are given by `repo_list_to_scope_token` or `secret-github-app-scope-extra-repos` failed to scope token for any reason then CI will not run.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe add a note that if it's a github webhook method repo CR then ignore it completely, user would need to have the right on their PAT for the repos they have access to.

Copy link
Member

@chmouel chmouel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM, a few commments..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants