JasonEtco / ci-reporter

🚧📝 GitHub App to show CI failure logs in PR comments
https://github.com/apps/ci-reporter
ISC License
48 stars 11 forks source link

Work for private repos #35

Open JasonEtco opened 6 years ago

JasonEtco commented 6 years ago

Currently, ci-reporter will not work for private repositories because the CI providers that private repos use require an API key for private builds. Here are the things that need to happen for private repo support to be possible:

To be clear, I do not want to resort to using a database for these keys. There is too much overhead involved, and I'd like to nail down a good pattern for encrypting/storing keys in repositories since it'll have implications for many more apps.

jpike88 commented 6 years ago

I'm all for this, it doesn't need to be complicated either. Need it for CodeBuild. Is anyone planning on doing this?

Dombo commented 6 years ago

What would be an appropriate key to use to encrypt these secrets - the private key that the GitHub app has?

I investigated if Circle has a tidy way to generate an API key with a limited set of permissions but it does not so that would need to be communicated to the user, likely during the install & redirect phase of application install.

I think short of GitHub providing a store for secret material the best we can do is your prescribed approach.

What's the consensus between:

A) showing the user the encrypted key and asking them to commit it to config.yml

B) granting the application repository write permissions to abstract away the additional install step outlined in A?