search

arunsathiya / set-output-janitor

Automated set-output replacements with GitHub GraphQL API
3 stars 0 forks source link

Use a bot account #17

Open arunsathiya opened 10 months ago

arunsathiya commented 10 months ago

Should stop using my personal account to submit PRs, and rather attribute them to a bot action:

https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user

arunsathiya commented 10 months ago

Read and write access to administration, code, pull requests, and workflows - this permission is set so far, and seems to work okay for creating commits but not for creating the pull request itself. Unclear why so far.

image

arunsathiya commented 10 months ago

Also worth noting that the commit (example https://github.com/arunsathiya/github-webhook-proxy/commit/e8ba0a5d33a08f9a77a46465ab92f0a08503130f, which may not exist in the future) itself does not seem to indicate the badge that this was authored by a bot. Unclear why.

image

arunsathiya commented 10 months ago

Sounds a lot like the same issue that another person ran into in 2022:

https://github.com/orgs/community/discussions/39178#discussioncomment-8201269

But as noted on that comment, setting maintainer_can_modify to false doesn't seem to have any impact at the moment.

arunsathiya commented 10 months ago

If you want to attribute app activity to the app instead of to a user, you should authenticate as an app installation instead. For more information, see "Authenticating as a GitHub App installation."

https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user

This part explains why the commit is attributed to the user account instead of the bot/app.

arunsathiya commented 10 months ago

Authenticating as a GitHub app installation is the way to go. That correctly attributes the commit to the bot user: https://github.com/arunsathiya/github-webhook-proxy/commit/08914318a30631d20addf0d144f5c805966c9f6c

Homepage Commit
image image

But PRs still fail:

Commit SHA for github-webhook-proxy: 08914318a30631d20addf0d144f5c805966c9f6c
2024/01/21 13:57:07 error preparing PR: POST https://api.github.com/repos/ExpediaGroup/github-webhook-proxy/pulls: 403 Resource not accessible by integration []

Permissions okay though:

{
  "token": "ghs_redacted",
  "expires_at": "2024-01-21T22:51:37Z",
  "permissions": {
    "administration": "write",
    "contents": "write",
    "metadata": "read",
    "pull_requests": "write",
    "workflows": "write"
  },
  "repository_selection": "all"
}
arunsathiya commented 10 months ago

Need to wait for fine-grained tokens to support "public-but-owned" data:

https://github.com/orgs/community/discussions/36441#discussioncomment-7635050