Analytics - Set up alternative auth flow to export project data

[widal001]

Summary

Because exporting project data requires the project:read scope which is not available by default with the github.token provisioned automatically within a GitHub action workflow, we needed to set up a Personal Access Token (PAT).

This is okay for a temporary solution but medium-term we should find another way to authenticate the gh action and provide it with the scopes needed to export project data.

Acceptance criteria

• [ ] The "Run analytics report" export data from HHS projects without relying on a Personal Access Token
• [ ] This token (or alternative auth mechanism) supports additional linting and workflows

[coilysiren]

This is something we should solve before deploying the analytics ELT application to AWS

[coilysiren]

The only sure-fire way I can think of to solve this is to create a bot user and use it's personal access token.

A custom Github application might also work, but I'm not sure about that.

[acouch]

Some very limited digging suggests bot user + PAT or github app are options I'm seeing. I would typically not want to do the latter, but it is only read access for a project that is already open. I'm not tracking any other users for a github app. Not sure the LOE on that, but I'm guessing that the former would be a lot lower.

[coilysiren]

I've setup both before - bot user is easier / faster to setup.

Both options require some degree of admin access to setup. The bot option requires someone with admin access to this repository, whereas (IIRC) the application option requires someone with admin access to the organization.

[acouch]

Let's go creating a bot user for now. Steps:

• create new group bot email address grants-github-bot@navapbc.com
• create github user
  • save username, password, MFA secret
• create PAC token
• add into password storage identified in #1035

[widal001]

FWIW I don't think creating a GitHub app and installing it in this repo would be terribly complicated if we could work with one of the HHS org admins to set this up. We've worked with one of the admins on a number of occasions to install applications on our repo (GitBook syncing, renovate bot, etc.)

But I like having a bot user as a backup for the time being!

[widal001]

@acouch quick note on this point:

I'm not tracking any other users for a github app.

We'd also benefit from having an app to manage some of the linting steps that we're setting up in .github/linters/ which will likely support writes to our project as well. The bot user could meet this need as well though at least for the time being.

[coilysiren]

FYI I added my own personal access token for the dev / staging / prod step functions, as a part of https://github.com/HHS/simpler-grants-gov/pull/1624/.