search

chdsbd / kodiak

🔮 A bot to automatically update and merge GitHub PRs
https://kodiakhq.com
GNU Affero General Public License v3.0
1.04k stars 63 forks source link

Self-hosting without being Github app? #702

Open okainov opened 3 years ago

okainov commented 3 years ago

I was looking at Kodiak and it seems to be super useful and I'd like to try it out in our team. However I'm a bit hesitant about requirement to have a Github app, we use private orgs in Github.com and there can be also some restrictions there.

Is it possible to run Kodiak as "regular" service/executable using Github API token or so? I don't need any Github-app related things...

sbdchd commented 3 years ago

For self hosting you can create your own GitHub app that you control if that's what you mean

https://kodiakhq.com/docs/self-hosting

As part of the setup process the GitHub app subscribes to events:

And then GitHub sends these events to Kodiak via a web hook

Kodiak uses these events, along with other calls to the GitHub api to determine mergability and to update / merge branches

Curious what you mean by:

I don't need any Github-app related things...

okainov commented 3 years ago

Curious what you mean by:

I mean exactly this. In our company Github org is controlled by IT department and it doesn't allow any Github Apps to be installed. As simple as that. The only way available is using PAT token, so that's what I was asking - is there a way to run Kodiak with the token and not as GH App?

sbdchd commented 3 years ago

Looking into the Personal Access Tokens it seems they can be granted access to various scopes, but there isn't a way to setup web hook events for PR changes.

I don't see any specific access scopes for push, pull requests, and check runs, which are necessary for determining ability to merge and merging a given PR, but those might be under the repo scope.

Since we can't setup web hooks with Personal Access Tokens, one sort of hack would be to create fake web hook events by polling the API using the personal access token

Available Personal Access Token scopes:

Screen Shot 2021-07-30 at 8 52 43 AM
okainov commented 3 years ago

but there isn't a way to setup web hook events for PR changes.

I'm not sure what do you mean. Webhooks are completely Independent, they can we set up to whatever endpoint for any event and it doesn't matter what is in the backend of accepting service. Webhooks have nothing to do with API tokens. And they can be set up, no problems there.

sbdchd commented 3 years ago

@okainov Oh yup you're right, my mistake

So currently Kodiak doesn't support using a personal access token, but I don't see why we couldn't update it to

Currently we configure the API URLs for GitHub's GraphQL and REST APIs in app_config.py:

https://github.com/chdsbd/kodiak/blob/87cdec3cfe99504b500de1d010b280ec4ca30c81/bot/kodiak/app_config.py#L64-L72

And then we have a function to get the auth header, which we could update to use a personal access token configured through an environment variable:

https://github.com/chdsbd/kodiak/blob/87cdec3cfe99504b500de1d010b280ec4ca30c81/bot/kodiak/queries/__init__.py#L1253-L1256

LeoQuote commented 3 years ago

compared with github personal token, github app is a better choice in most circumstance, github apps has more accurate permission control and more secured authenticate method, really recommand you try github app.

for personal token, there're very few permission control and github app have many permission level to control.

Also, github app can be set as private, meaning only the owner of the app can install this app to a repository.

And, github app does not need you to manage webhook your self, you would need to add a webhook setting in you org or every single repo.

read more at github docs: https://docs.github.com/en/developers/apps/getting-started-with-apps/differences-between-github-apps-and-oauth-apps