Open marcelobartsch-jt opened 3 years ago
I have created a branch in a fork, it is not well done, but is working https://github.com/marcelobartsch/argo-workflows/tree/github-apps it is based against release-3.0 as was the version I was using at the moment
sample workflow
# This example demonstrates the use of a git repo as a hard-wired input artifact.
# The argo repo is cloned to its target destination at '/src' for the main container to consume.
apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
name: git-checkout-v3
spec:
serviceAccountName: argo
arguments:
parameters:
- name: project
value: hermes
- name: branch
value: master
templates:
- name: git-clone
inputs:
parameters:
- name: project
- name: branch
artifacts:
- name: argo-source
path: /src
git:
repo: "https://github.com/myorganization/{{ inputs.parameters.project }}.git"
revision: "{{ inputs.parameters.branch }}"
applicationIdSecret:
name: github-app-access-token
key: appId
installationIdSecret:
name: github-app-access-token
key: installId
applicationKeySecret:
name: github-app-access-token
key: key2
container:
image: hseeberger/scala-sbt:11.0.12_1.5.5_2.13.6
command: [sh, -c]
args: ["sbt build"]
workingDir: /src
I like the idea of bot access... but as an aside, I think deploy keys are another access option besides personal access tokens.
the problem with deploy keys and access token, is that you need to go repositoty by repository granting access, making a bit problematic, (we manage 600 repositories owned by many people in github, some on holidays when we needed to added to our CI/CD infrastructure) with Github App, we don't need them to connect, we just allow the application to access the repo in the organization and it is done, also the number of request allowed on github is higher on apps than PAT or deployment keys (latest I'm not that sure)
GitHub App access has been supported in ArgoCD and Argo Events since 2021.
It is the preferred way to grant access to GitHub repos and should be supported by Argo Workflows for the git input artifacts.
I'd like to upvote this one. Using PATs isn't a viable solution.
Summary
for github artifacts would be nice to support github app authentication , as it simple to manage access to repositories than using personal access token.
What change needs making?
Implement github jwt authentication for application in workflow/artifacts/git/git.go , "github.com/bradleyfalzon/ghinstallation" is suppose to provide the helpers to do it simply, also new parameters to the 'git' artifact will be needed as 'Private Pem Key', 'Application Id' and 'Installation Id'
Use Cases
When manage a huge number of repos from different teams is simpler to use github app to allow access from the workflow or CI/CD platform to the repos than using Personal Access Tokens, this way , is less human interaction needed
When would you use this?
to checkout code from private github repos
Message from the maintainers:
Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.