This Node.js application is a part of the suite of services provided by the Open Source Programs Office at Microsoft to enable large-scale GitHub management experiences.
Key features center around opinionated takes on at-scale management, with an emphasis on relentless automation and delegation:
- Linking: the concept of associating a GitHub identity with an authenticated identity in another provider, for example an Azure Active Directory user
- Self-service GitHub organization join: one-click GitHub organization joining for authorized users
- Cross-organization functionality: consolidated views across a set of managed GitHub organizations including people, repos, teams
Before providing GitHub management functionality to all of Microsoft, this application started within Azure.
An introduction to this project is available in this 2015 post by Jeff Wilcox: http://www.jeff.wilcox.name/2015/11/azure-on-github/
The app is a GitHub OAuth application; with the May 2017 release of GitHub Apps (formerly called Integrations), this app over time may be refactored to support the integration concept, removing the need to dedicate a user seat to a machine account.
May 2018 Status Update
While this project is in use in production, it is in sore need of some love and refactoring.
Of specific note and goals:
- Rewrite of core logic
- Consider TypeScript to help find issues sooner in interfaces, especially as we will continue to have providers specific to companies or users that may not be generally used (making it hard to test compilation)
- Getting rid of
data.js, moving to a better per-purpose provider model for data
- Removing the dependency on Azure Table to use Cosmos DB or other systems like Postgres
If you would like to talk about a plan or getting involved in this, please open an issue. I have some ideas and prototyped branches. - Jeff
- Node.js LTS (v6.10+ as of 5/31/17)
- Mixed callback and Q promises at this time
- At least one of your own GitHub organizations
- Bring your own Redis server, or use Azure Redis Cache
- Azure Active Directory, or hack your own Passport provider in
- Azure Storage for table,
data.jswill need some refactoring to support other providers. Other providers are being considered, including Azure Premium Table, for better performance. Help would be appreciated here!
Dev prep, build, deploy
Install Node packages
Make sure to include dev dependencies
$ npm install
Suggested global NPM packages
$ npm install -g eslint mocha grunt-cli ember-cli
$ npm run-script build
Which is equivalent to running:
$ cd client $ npm install $ cd .. $ grunt
This project is starting to get improved testability. But it will be a long slog.
$ npm test
Which is equivalent to running:
$ mocha $ eslint .
Happy to have contributions, though please consider reviewing the CONTRIBUTING.MD file, the code of conduct, and then also open a work item to help discuss the features or functionality ahead of kicking off any such work.
The configuration story for this application has been evolving over time. At this time, the following configuration elements are available at this time, each with a distinct purpose.
A GitHub organization(s) configuration file in JSON format is required as of version 4.2.0 of the app.
- Environment Variables (see
- JSON Files (either committed directly to a repo or overwritten during deployment)
config/resources.json: categories, links and special resources to light up learning resources
config/organizations.json: organization configuration information, an alternate and additive way to include organization config in the app at deployment time. For this method to work, make sure to set the configuration environment to use from such a file using the
- Azure Key Vault secrets
With the current configuration story, a
CONFIGURATION_ENVIRONMENT variable is required, as well
as a secret for AAD to get KeyVault bootstrapped. That requirement will go away soon.
KeyVault Secret Support
Any configuration string property can be resolved to a KeyVault secret.
To use a stored KeyVault secret, configuration to allow this application's service
get the secret value, simply use a custom
keyvault:// URI format.
For example, given a key vault named
samplevault, setting a configuration
would resolve that secret.
To select a custom user
tag for a secret, use the
auth parameter of the
URI: a value of
get the secret and its metadata, setting the configuration value to the
username tag, if
As configuration, including secrets, is resolved at startup, any key rotation would need to include a restart of the app service.
When using Microsoft Application Insights, this library reports a number of metrics, events and dependencies.
Library events include:
- UserUnlink: When a user object is unlinked and dropped
User interface events include:
- PortalUserUnlink: When a person initiates and completes an unlink
- PortalUserLink: When a person links their account
- PortalUserReconnectNeeded: When a user needs to reconnect their GitHub account
- PortalUserReconnected: When a user successfully reconnects their GitHub account when using AAD-first auth
A custom mail provider is being used internally, but a more generic mail provider contract exists in the library folder for the app now. This replaces or optionally augments the ability of the app to do workflow over mail. Since Microsoft is an e-mail company and all.
Please see the API.md file for information about the early API implementation.
Undocumented / special features
This is meant to start an index of interesting features for operations use.
/people search view
- Add a
type=formerquery string parameter to show a current understanding of potential former employees who cannot be found in the directory
- In the
type=formerview, portal system sudoers will receive a link next to the user to 'manage user', showing more information and the option to remove from the org
/repos search view
- Add a
showids=1query string parameter to have repository IDs show up next to repository names