-
Notifications
You must be signed in to change notification settings - Fork 9
Add TEP for scoping token to a repositories #18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Add TEP for scoping token to a repositories #18
Conversation
e8d91aa
to
8c44558
Compare
cc @chmouel |
8c44558
to
6a25148
Compare
6a25148
to
dbd194e
Compare
|
||
## Motivation/UseCase | ||
|
||
Their is a use case where CI Repos Differ from CD Repos, and the teams would like the generated GitHub Token from Pipelines As Code to allow control over these secondary repos, even if they were not the one triggering the pipeline. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it's a CI/CD use case but yeah.
|
||
* The configuration exist in `pipelines-as-code` configmap. | ||
|
||
* The key which used to have list of Repos is `secret-github-app-scope-extra-repos` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe add that the github app was installed for those repos.
|
||
### Scoping GH token to a list of Repos provided by Repository level configuration | ||
|
||
* Scope token to a list of Repos provided by `repo_list_to_scope_token` spec configuration within the Repository custom resource |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe i would called it scopped_token_repos
for the option
failed to scope token to repositories in namespace article-pipelines with error : could not refresh installation id 36523992's token: received non 2xx response status \"422 Unprocessable Entity\" when fetching https://api.github.com/app/installations/36523992/access_tokens: Post \"https://api.github.com/repos/savitaashture/article/check-runs\ | ||
``` | ||
|
||
5. If repos are given by `repo_list_to_scope_token` or `secret-github-app-scope-extra-repos` failed to scope token for any reason then CI will not run. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe add a note that if it's a github webhook method repo CR then ignore it completely, user would need to have the right on their PAT for the repos they have access to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM, a few commments..
No description provided.