updated setup requirements for GitHub Apps (#589)

cloudposse · Apr 23, 2024 · 7eb0a88 · 7eb0a88
1 parent 95e78e1
commit 7eb0a88
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/website/docs/integrations/github-actions/component-updater.md b/website/docs/integrations/github-actions/component-updater.md
@@ -79,11 +79,29 @@ This action will automatically open pull requests for updated components in your
 To use it, we recommend installing a GitHub App to allow GitHub Actions to create pull requests within your GitHub Organization.
 
 - [ ] Create and install a GitHub App, following [Using a GitHub App](#using-a-github-app)
+- [ ] Grant GitHub Actions workflows read and write permission
+
+1. Go to `https://github.com/organizations/YOUR_ORG/settings/actions`
+
+If you're using GitHub Enterprise, update this setting under "enterprises": `https://github.com/enterprises/YOUR_ORG/settings/actions`
+
+2. Find the section called "Workflow permissions"
+3. Select "Read and write permissions"
+
 - [ ] Allow GitHub Actions to create and approve pull requests
 
 1. Go to `https://github.com/organizations/YOUR_ORG/settings/actions`
+
+Or if you're using GitHub Enterprise, go to `https://github.com/enterprises/YOUR_ORG/settings/actions`
+
 2. Check "Allow GitHub Actions to create and approve pull requests"
 
+:::tip Repository-Level Action Settings
+
+Enabling these action settings at an Organization level will enable the same settings for all repositories in your Organization. Confirm the same settings have been enabled for your infrastructure repository and optionally disable these settings for other repositories in your Organization at your own discretion.
+
+:::
+
 ### Using a GitHub App
 
 You may notice that we pass a generated token from a GitHub App to `github-access-token` instead of using the native `GITHUB_TOKEN`. We do this because Pull Requests will only trigger other GitHub Action Workflows if the Pull Request is created by a GitHub App or PAT. For reference, see [Triggering a workflow from a workflow](https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow).
@@ -111,6 +129,14 @@ You may notice that we pass a generated token from a GitHub App to `github-acces
 6. Generate a new private key [following the GitHub documentation](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps#generating-private-keys).
 7. Finally, save both the App ID and the new private key as secrets for GitHub Actions with `ATMOS_APP_ID` and `ATMOS_PRIVATE_KEY` respectively. Note, if using GitHub Enterprise, we recommend using "GitHub Environments" to scope the Secrets to protected branches. If that's not available, use repository-scoped GitHub Secrets instead.
 
+:::tip App ID
+
+The App ID is shown under GitHub App settings under `General > About > App ID`. The App ID is _not_ the same as the Installation ID that is given in the URL when you install the App.
+
+`https://github.com/settings/apps/<YOUR APP NAME>`
+
+:::
+
 ### Using GitHub Environments
 
 We recommend creating a new GitHub environment for Atmos (requires GitHub Enterprise). With environments, the Atmos Component Updater workflow will be required to follow any branch protection rules before running or accessing the environment's secrets. Plus, GitHub natively organizes these Deployments separately in the GitHub UI.