-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate Prow GitHub authentication from Personal Access Token to a GitHub App #10423
Comments
certainly for access to checks api (perhaps not v4). Github are very keen on shifting to app vs PAT |
I updated the description of the issue with the official reasons mentioned by GitHub in order to avoid any controversy. |
cc @cjwagner |
I think an advantage of GitHub apps over using PAT is that GitHub apps are owned by the organization. I think this will make them much easier to administer than bot accounts which requires sharing access to a GitHub account. I dug into this an it looks to me like the way it works is that GitHub apps use private certs to generate JWTs which are then used to authenticate to the GitHub APIs: e.g. see the examples So I think the primary work would be updating your GitHub client to generate JWTs Line 49 in e591cdf
Some googling turned up the following library for generating JWTs in go: |
Here is how we can update tackle to help make this easier: https://developer.github.com/apps/building-github-apps/creating-github-apps-from-a-manifest/ Note that this change would have some downsides. We could not, for example, react to a comment/issue |
It was noted that this approach will not give us the same access to the API as we have with PAT -- some APIs are PAT-only. Not sure if any of those are ones we use, though, or what the set is, even. |
I have heard that github want to replace PAT at some point so any gaps in api coverage are likely temporary anyway. |
Sure, but:
Not a blocker, just more things to think about when this work is undertaken. Agreed that the official stance from GitHub is that we should in a perfect world move away from PAT. |
We would also get way, way more tokens if we interacted as an app against high-volume orgs like kubernetes. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle rotten |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
/remove-lifecycle rotten This is currently missing the Tide bits, the rest works already. I'll try to get the tide bits done in the near future, I have some work on that locally already. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
maybe ref: #20713 (if Actions integration implies interacting with Checks) |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
Tide gh apps support was finished in #23036, we rolled it out in Openshift today and it appears to be working fine. That means the only thing left here is to update our documentation and samples. |
Was that the last thing to being able to migrate prow fully? Should we start looking at moving prow.k8s.io as well? |
Yes
I think that would be great :) I am not sure if there is an immediate practical benefit to that, though. It is primarily useful to simplify onboarding orgs as the webhook and hmac secret are configured on the app instead of on the org and to alleviate token exhaustion issues (which afaik do not exist for prow.k8s.io). One thing to note is that if a github apps needs to be installed in more than one GH org, everyone will be able to install it[1]. While not great this is IMHO ok, as Prow won't do anything for events in orgs or repos it has no config for. |
I assume that the gh apps user name is different from previous prow bot account, so during the transition period prow might do something inconsistent, for example it will not find previous existing bot comment and comment something new. Is there any other side effect that you have observed? In another word, if we want to migrate one of our prow instance over, what should we communicate with our users? |
Yes, that is correct, e.G.
No, we actually did this relatively silently (and gradually through the |
What would you like to be added:
Prow is currently using a Personal Access Token to authenticate with GitHub API. In the meantime, GitHub has revamped the API authentication mechanism and introduced GitHub Apps, which will replace soon the Personal Access Token and OAuth tokens.
Migrate prow from a Personal Access Token to a GitHub App.
Why is this needed:
GitHub Apps provide some advantages over Personal Access Tokes which are listed here:
https://developer.github.com/apps/migrating-oauth-apps-to-github-apps/
cc @rawlingsj @wbrefvem
/kind feature
/area prow
The text was updated successfully, but these errors were encountered: