Skip to content

feat(applicationset): reuse repo-creds for an existing GitHub App#10092

Merged
crenshaw-dev merged 1 commit intoargoproj:masterfrom
iamnoah:scm-reuse-github-app
Aug 19, 2022
Merged

feat(applicationset): reuse repo-creds for an existing GitHub App#10092
crenshaw-dev merged 1 commit intoargoproj:masterfrom
iamnoah:scm-reuse-github-app

Conversation

@iamnoah
Copy link
Contributor

@iamnoah iamnoah commented Jul 25, 2022
edited
Loading

Closes #10079

@iamnoah iamnoah force-pushed the scm-reuse-github-app branch 4 times, most recently from abb2767 to 3b48148 Compare July 25, 2022 16:11
@codecov
Copy link

codecov bot commented Jul 25, 2022
edited
Loading

Codecov Report

Merging #10092 (d9f5a61) into master (5181bc1) will increase coverage by 0.11%.
The diff coverage is 15.62%.

❗ Current head d9f5a61 differs from pull request most recent head ed3cc89. Consider uploading reports for the commit ed3cc89 to get more accurate results

@@            Coverage Diff             @@
##           master   #10092      +/-   ##
==========================================
+ Coverage   45.92%   46.04%   +0.11%     
==========================================
  Files         229      232       +3     
  Lines       28278    27908     -370     
==========================================
- Hits        12987    12849     -138     
+ Misses      13518    13321     -197     
+ Partials     1773     1738      -35
Impacted Files Coverage Δ
applicationset/generators/pull_request.go 42.85% <0.00%> (-3.30%) ⬇️
applicationset/generators/scm_provider.go 35.57% <0.00%> (-5.09%) ⬇️
applicationset/services/pull_request/github.go 14.00% <0.00%> (ø)
applicationset/services/pull_request/github_app.go 0.00% <0.00%> (ø)
applicationset/services/scm_provider/github.go 81.17% <0.00%> (ø)
applicationset/services/scm_provider/github_app.go 0.00% <0.00%> (ø)
...is/applicationset/v1alpha1/applicationset_types.go 34.69% <ø> (-3.24%) ⬇️
util/db/repo_creds.go 0.00% <0.00%> (ø)
util/db/repository.go 39.28% <ø> (ø)
util/db/repository_secrets.go 68.60% <0.00%> (-1.09%) ⬇️
... and 28 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@iamnoah iamnoah force-pushed the scm-reuse-github-app branch from 3b48148 to d7b1866 Compare July 25, 2022 16:27
@crenshaw-dev crenshaw-dev mentioned this pull request Aug 9, 2022
Open
3 tasks
jetersen
jetersen approved these changes Aug 9, 2022
View reviewed changes
Copy link
Contributor

@jetersen jetersen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good to me.

I can wonder why there is almost no code reuse from the existing implementation for github app authentication or refactor of existing code.

Consider my comment nitpicking.

crenshaw-dev
crenshaw-dev requested changes Aug 9, 2022
View reviewed changes
Copy link
Member

@crenshaw-dev crenshaw-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this will be a pretty awesome enhancement!

I think you might have started down the path of auto-discovering the repo creds. Did that end up not being a viable option?

@iamnoah
Copy link
Contributor Author

iamnoah commented Aug 9, 2022

why there is almost no code reuse from the existing implementation for github app authentication

I went down this path and the answer is that after ghinstallation.New, the logic for checking out a repo vs. making API calls diverges significantly. repo-server uses the git protocol naturally, vs. REST for the GitHub API.

@iamnoah
Copy link
Contributor Author

iamnoah commented Aug 9, 2022

I think you might have started down the path of auto-discovering the repo creds. Did that end up not being a viable option?

I thought better of it for a few reasons: 1. You might want a different app to checkout code than the one that scans for PRs or branches. 2. If you had a credential you didn't expect to be used this way, consuming some rate limit and making unexpected calls just seems like a good way to freak people out.

@iamnoah iamnoah force-pushed the scm-reuse-github-app branch from d7b1866 to 8e3d01a Compare August 9, 2022 20:54
@crenshaw-dev
Copy link
Member

crenshaw-dev commented Aug 9, 2022

@iamnoah makes sense. Did you find that there's something acting as a hard barrier to auto-discovery, or simply that it was too involved to tackle in this PR?

Just curious, in case someone decides to pick up auto-discovery in the future.

@jetersen
Copy link
Contributor

jetersen commented Aug 9, 2022

I went down this path and the answer is that after ghinstallation.New, the logic for checking out a repo vs. making API calls diverges significantly. repo-server uses the git protocol naturally, vs. REST for the GitHub API.

Thanks for taking the time detailing it 👍 Makes sense.

@iamnoah
Copy link
Contributor Author

iamnoah commented Aug 9, 2022

Did you find that there's something acting as a hard barrier to auto-discovery, or simply that it was too involved to tackle in this PR?

No, I had some code that would inject the argocddb, try each credential, and note if there was a 401 then stopping using it for one hour. But I realized that PRs need a separate permission and felt like the unintended consequences were too great.

I would want auto-discovery to:

  • For PRs, first use the GitHub API to make sure the App has permission to read PRs
  • Load the organization(s) the App is valid for and match that up to the configuration (don't use a credential you know will fail)
  • Some sort of opt-in/out at in argocd-cm and per credential.
  • Maybe refuse to automatically use any app credentials if there are more than one that could work.
  • Optional: the ability to use multiple credentials.

@iamnoah iamnoah force-pushed the scm-reuse-github-app branch from 8e3d01a to 02b70dc Compare August 9, 2022 21:08
@iamnoah iamnoah requested a review from crenshaw-dev August 10, 2022 14:41
@iamstarkov iamstarkov mentioned this pull request Aug 16, 2022
Closed
@crenshaw-dev
Copy link
Member

crenshaw-dev commented Aug 18, 2022

@iamnoah do you have time to resolve conflicts?

@iamnoah iamnoah force-pushed the scm-reuse-github-app branch from d9f5a61 to a13f6a1 Compare August 18, 2022 15:54
feat(applicationset): reuse repo-creds for an existing GitHub App
ed3cc89 
Closes argoproj#10079

Signed-off-by: Noah Perks Sloan <noah_sloan@securityjourney.com>
@iamnoah iamnoah force-pushed the scm-reuse-github-app branch from a13f6a1 to ed3cc89 Compare August 18, 2022 15:58
crenshaw-dev
crenshaw-dev approved these changes Aug 19, 2022
View reviewed changes
Copy link
Member

@crenshaw-dev crenshaw-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm - thanks @iamnoah!

@crenshaw-dev crenshaw-dev merged commit 506bd3b into argoproj:master Aug 19, 2022
@iamnoah iamnoah deleted the scm-reuse-github-app branch September 22, 2022 19:56
@github-actions github-actions bot mentioned this pull request Feb 27, 2026
Closed
@github-actions github-actions bot mentioned this pull request Feb 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crenshaw-dev crenshaw-dev crenshaw-dev approved these changes

+1 more reviewer

@jetersen jetersen jetersen approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

applicationset - use GitHub Apps for generators when available

3 participants

@iamnoah @crenshaw-dev @jetersen