Flag for manual review design doc

[bkjohnson]

This is a draft design doc for what we've been calling the automated "flag for manual review" process. It is not strictly a design doc since I ended up creating the solution ahead of time as I was experimenting with Github's API and Circle's CI config, but I tried to capture some design decisions and open questions.

All feedback welcome.

Here is an earlier issue which describes some of the goals. I will try to work that into the design doc somehow.

[rianfowler]

cc @gunsch @johnpaulashenfelter

[rianfowler]

Suggested change

	- Wait for the review group to provide a manual review - it should be completed within one business day.
	- the frontend-review-group completes reviews within one business day

can we change the state of the PR to make the frontend-review-group a required reviewer?

[bkjohnson]

Unfortunately the API doesn't let us do that. All we can do is say who we want to request a review from.

However, I included a section talking about other ways that we could enforce that they wait for a manual review.

[rianfowler]

This is cool

[gunsch]

"Background" should include some details about the CODEOWNERS changes, and how that means that VSP is withdrawing from the code review process.

without explaining that, the "flag for manual review" stuff isn't really justified / doesn't connect to the background.

[bkjohnson]

I avoided that because that felt like part of the solution, and the template said to keep that out of the background. I'll try to phrase it in a way that keeps the emphasis on the problem and not the solution.

[gunsch]

any details on environment variables? doesn't have to be an explicit list in this doc, but maybe a link to documentation about them? or a link to code showing what environment variables are expected?

[bkjohnson]

I put the environment variables in the same doc with the list of triggers and linked to it. I'm not convinced that that is the best place, so that may change as I clean things up.

[gunsch]

the idea with the "detailed design" is that it should be sufficiently explained to hand off to a junior engineer who's just joining and say "go build this", and they should generally be able to figure out what needs to be done from it without any big open questions.

that framing is partly a way to put down more detailed documentation, but also partly so that other reviewers can review those decisions in detail and speak to them. in this doc, the content is very high-level, so there isn't really space for reviewers to evaluate more technical details.

a few things that immediately stand out to me as underspecified in that framing:

what's "the GitHub API"?

• what API methods are called?
• how is it depended on --- direct REST calls? through a library? does CircleCI provide this?
• how are we authorizing to the GitHub API?

how do we check out the current PR branch vs. master? is that something CircleCI provides? does CircleCI have docs on this?

• what kinds of things warrant manual review? do you have examples of the kinds of things we'd want to check for (whether or not they're in our first pass)?

[gunsch]

Design doc location: maybe back in the design-docs folder, and prepended with a date? we don't really have a convention yet for where these live, but the engineering directory is pretty convoluted already with a bunch of different files.

Couple small comments here, but otherwise this looks pretty good! adding my approval (but make sure to get others' also before submitting).

[gunsch]

From the CircleCI docs:

Note: secret masking will only prevent the value of the environment variable from appearing in your build output. The value of the environment variable is still accessible to users debugging builds with SSH.

who has SSH access to these builds?

[bkjohnson]

My understanding is that anyone who has an SSH public key on Github will be able to connect. I re-ran a job with SSH and this is what I see:

So anytime we deliberately kick off a job with SSH access, we should be able to see whoever connects to it.

[gunsch]

anyone with an SSH public key? So, that sounds to me like the GitHub bot auth token can be accessed by anyone?

[bkjohnson]

I found a more specific answer in the docs:

In order to SSH into a CircleCI build, the username must be one which has access to the project being built!

When I try to go to the project website in a private window it blocks me and forces me to authenticate with Github or Bitbucket.

I created a fake github account to test this and was able to login and view the project in Circle, but I can't even look at the project settings. I get errors when I try to follow the project, and I can't see the list of branches either. The option to trigger an SSH build is disabled as well:

After seeing all of this, I think that project access in circle requires an account to be a part of the Github organization that the repo is associated with. I've looked around at various settings to try to get a more definitive answer, but I'm not an organization admin in Circle so there are certain things I can't see. I wonder if this page would be helpful.

[gunsch]

https://discuss.circleci.com/t/disable-ssh/31057 has a couple key things:

Any user with write capabilities will also have SSH access. [...] any user with write permissions could theoretically also expose secrets via commands issues through the config.yml file.

Related question to investigate: how often do we hand out write permission on vets-website/vets-api, or do we generally keep people's access to read?

A good first step is to ensure your deploy keys only have read access to your repos.

This made me wonder, what kinds of access does our bot token have? Can we keep that as minimal as possible? (read-only + posting comments?).

Other possible idea: it sounds like contexts might be useful here.

[bkjohnson]

Do you know who gives write access to people?

Our bot token has the public_repo scope. I believe that this is the least permissions that we can give it in order for it to do its job, but it does include write access for our public repos.

Limits access to public repositories. That includes read/write access to code, commit statuses, repository projects, collaborators, and deployment statuses for public repositories and organizations.

Here is a relevant Slack thread.

Contexts are something that I haven't explored deeply. I'm interested to see how we could use them, but I don't have permissions to manage security groups so I'm a bit limited.

[gunsch]

Do you know who gives write access to people?

VA has an entire GitHub admin group. you can also talk to @ricetj about longer-term strategy for ownership on these repos, or (more immediately helpful) see if you can track down an admin for vets-website and vets-api to see how we've handed out write access so far. it's possible that most people just have read access and that this isn't a concern, but write access is typically needed for managing issues, which might mean we've handed it out more broadly.

Our bot token has the public_repo scope. I believe that this is the least permissions that we can give it in order for it to do its job, but it does include write access for our public repos.

hmm, this set of information is making me more and more concerned 😬

what does the bot need from public_repo that it can't get from (no scope)?

[rianfowler]

FWIW- Write access is needed by a GitHub team for codeowners to trigger so every VFS member has write access to the repo.

All of the FE group on VSP has admin access.

Generally everyone has write access.