argoproj / argo-workflows

Workflow Engine for Kubernetes
https://argo-workflows.readthedocs.io/
Apache License 2.0
15.04k stars 3.2k forks source link

Github App Authentication Support #6491

Open marcelobartsch-jt opened 3 years ago

marcelobartsch-jt commented 3 years ago

Summary

for github artifacts would be nice to support github app authentication , as it simple to manage access to repositories than using personal access token.

What change needs making?

Implement github jwt authentication for application in workflow/artifacts/git/git.go , "github.com/bradleyfalzon/ghinstallation" is suppose to provide the helpers to do it simply, also new parameters to the 'git' artifact will be needed as 'Private Pem Key', 'Application Id' and 'Installation Id'

Use Cases

When manage a huge number of repos from different teams is simpler to use github app to allow access from the workflow or CI/CD platform to the repos than using Personal Access Tokens, this way , is less human interaction needed

When would you use this?

to checkout code from private github repos

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.

marcelobartsch-jt commented 3 years ago

I have created a branch in a fork, it is not well done, but is working https://github.com/marcelobartsch/argo-workflows/tree/github-apps it is based against release-3.0 as was the version I was using at the moment

marcelobartsch-jt commented 3 years ago

sample workflow

# This example demonstrates the use of a git repo as a hard-wired input artifact.
# The argo repo is cloned to its target destination at '/src' for the main container to consume.
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
  name: git-checkout-v3
spec:
  serviceAccountName: argo
  arguments:
    parameters:
      - name: project
        value: hermes
      - name: branch
        value: master
  templates:
    - name: git-clone
      inputs:
        parameters:
          - name: project
          - name: branch
        artifacts:
          - name: argo-source
            path: /src
            git:
              repo: "https://github.com/myorganization/{{ inputs.parameters.project }}.git"
              revision: "{{ inputs.parameters.branch }}"
              applicationIdSecret:
                name: github-app-access-token
                key: appId
              installationIdSecret:
                name: github-app-access-token
                key: installId
              applicationKeySecret:
                name: github-app-access-token
                key: key2
      container:
        image: hseeberger/scala-sbt:11.0.12_1.5.5_2.13.6
        command: [sh, -c]
        args: ["sbt build"]
        workingDir: /src
crenshaw-dev commented 3 years ago

I like the idea of bot access... but as an aside, I think deploy keys are another access option besides personal access tokens.

marcelobartsch-jt commented 3 years ago

the problem with deploy keys and access token, is that you need to go repositoty by repository granting access, making a bit problematic, (we manage 600 repositories owned by many people in github, some on holidays when we needed to added to our CI/CD infrastructure) with Github App, we don't need them to connect, we just allow the application to access the repo in the organization and it is done, also the number of request allowed on github is higher on apps than PAT or deployment keys (latest I'm not that sure)

joebowbeer commented 1 year ago

GitHub App access has been supported in ArgoCD and Argo Events since 2021.

It is the preferred way to grant access to GitHub repos and should be supported by Argo Workflows for the git input artifacts.

MueR commented 1 year ago

I'd like to upvote this one. Using PATs isn't a viable solution.