Open alejandromumo opened 1 year ago
This was copied from the CodiMD above, which is not accessible outside CERN.
Find below step-by-step instructions on how to setup invenio-github on RDM and receive webhooks from Github in your local application:
invenio-github
and invenio-webhook
( invenio-rdm-records
will depend on invenio-github
and everything should be installed from there).Assuming you setup the integration, you can test the backend like so:
GET https://api.github.com/repos/{owner}/{repo_name})
POST https://127.0.0.1:5000/api/user/github/repositories/<REPO_ID>/enable
Other endpoints already tested:
POST /api/user/github/repositories/sync
: syncs all repositories. On Zenodo we have a "Sync now..." button that calls this.POST /api/user/github/repositories/<repository_id>/enable
POST /api/user/github/repositories/<repository_id>/disable
POST /api/user/github/repositories/sync
POST /api/user/github
Connect to Github page:
Repositories list page
Repository details page 3.1 Repository with no releases
3.2 Repository with releases
Invenio-OAuthClient already provides this doc, however find below the steps to set the github app:
https://127.0.0.1:5000/
)https://127.0.0.1:5000/oauth/authorized/github/
Retrieve the following client settings:
This sets up a way for Github to communicate with a local application.
Ngrok is a service that allows the integration of a local web application to remote applications (e.g. Github).
Basically Ngrok creates a tunnel between their publicly available network to you network. Since ngrok's network is reachable by the internet, Github is able to send packages from their network to ngrok. Ngrok then redirects the packages to you local machine using a tunnel.
Access https://ngrok.com/ and create an account
Install ngrok agent:
# MacOS
brew install ngrok/ngrok/ngrok
Setup ngrok [agent]:
ngrok config add-authtoken TOKEN
Setup invenio instance
Start ngrok tunnel locally.
For this step, we need to provide the port where the instance is being server (5000 by default). Since we will use it for webhook integrations, we can enforce a secret to be exchanged by Github and Ngrok as an extra security layer.
Note: there are extra security steps (e.g. adding authentication to connect to the endpoint). See ngrok docs for more information.
ngrok http https://127.0.0.1:5000 --verify-webhook github --verify-webhook-secret GITHUB_SHARED_SECRET
The public url for your ngrok session is suffixed by ngrok-free.app
. You will need this URL for github to deliver your webhooks. Save it for now. This URL will always be available in your terminal window.
NOTE: when you close the ngrok agent and open a new session, it will assign you a new URL (unless you have a paid version). You might have to change the URL config on invenio if you ever restart the ngrok session.
Docs: https://ngrok.com/docs/getting-started/
https://docs.github.com/en/webhooks-and-events/webhooks/receiving-webhooks-with-the-github-cli
Not fully tested for now, but it should be more convenient than ngrok (and safer).
The following configs must be added to your instance (invenio.cfg
):
from invenio_github.oauth.remote_app import github_app
from invenio_oauthclient.contrib import github
from invenio_rdm_records.services.github.release import RDMGithubRelease
# Add NGROK url to allowed hosts
APP_ALLOWED_HOSTS = ['0.0.0.0', 'localhost', '127.0.0.1', <NGROK_URL>]
# E.g. cea8-2001-1458-204-1-00-102-d4b9.ngrok-free.app
OAUTHCLIENT_REMOTE_APPS = dict(
github=github_app,
)
OAUTHCLIENT_REST_REMOTE_APPS = dict(
github=github_app,
)
GITHUB_APP_CREDENTIALS = dict(
consumer_key="<GITHUB_KEY>",
consumer_secret="<GITHUB_SECRET>",
)
GITHUB_WEBHOOK_RECEIVER_ID = "github"
# TODO this was blocking webhooks for me, might not be needed though.
REST_CSRF_ENABLED = False
# URL to your app (note it must be reachable from Github)
GITHUB_WEBHOOK_RECEIVER_URL = "<NGROK_URL>/api/hooks/receivers/github/events/?access_token={token}"
GITHUB_INSECURE_SSL = True
GITHUB_SHARED_SECRET = "<GITHUB_SHARED_SECRET>"
GITHUB_RELEASE_CLASS = RDMGithubRelease
GITHUB_INTEGRATION_ENABLED = True
GITHUB_KEY
and GITHUB_SECRET
are retrieved from the Github OAuth App
NGROK_URL
is retrieved above
GITHUB_SHARED_SECRET
is the same one used to configure the webhook
TODO