search

jenkins-infra / helpdesk

Open your Infrastructure related issues here for the Jenkins project
https://github.com/jenkins-infra/helpdesk/issues/new/choose
17 stars 10 forks source link

GitHub App for Plugins Health Scoring #3294

Closed alecharp closed 1 year ago

alecharp commented 1 year ago

Currently, the Plugin Health Scoring project is using a GitHub Token to interact with the GitHub API. This has multiple downsides, like rate limit, but also security wise and maintainability.

I would like to have a GitHub App created. This application would require 3 permissions:

Its ID needs to be injected in the Helm Chart value (https://github.com/jenkins-infra/helm-charts/pull/347/files#diff-e00ec7517b972514486a84b4d7b359b68cc2b98b6ba7c6f3576032be9f39dbceR59). A private key needs to be generated and converted and then injected in the Helm Chart value (https://github.com/jenkins-infra/helm-charts/pull/347/files#diff-e00ec7517b972514486a84b4d7b359b68cc2b98b6ba7c6f3576032be9f39dbceR60).

The conversion of the key can be done using 

openssl pkcs8 -topk8 -inform PEM -outform PEM -in ORIGINAL_KEY.pem -out CONVERTED_KEY.pem -nocrypt

Once the application is created, it would need to be installed on jenkinsci organization.

github-actions[bot] commented 1 year ago

Take a look at these similar issues to see if there isn't already a response to your problem:

  1. 75% #3114
alecharp commented 1 year ago

Hello, do you know if any progress was made on this GitHub App? Thanks.

lemeurherve commented 1 year ago

I've created the following GitHub app: https://github.com/apps/plugins-health-scoring

I've requested its installation on all @jenkinsci repositories so we wouldn't have to make another request each time a new plugin is created:

image

But after validating this request, I've got this as response, not sure at all if the "all repositories" request has been taken in account:

image

I hope this "all repositories" request can be done, otherwise we'll have to make requests for all of them (manually?), and make new request each time a new plugin is created, which could be cumbersome.

@jenkins-infra/jenkinsci-admins can one of you could check the request?

@jenkins-infra/security WDYT about requesting this installation on all repositories? Any contraindication? I'm thinking maybe in case there are private repositories (I don't think so but I'm not sure, hence this ping)

daniel-beck commented 1 year ago

I'm thinking maybe in case there are private repositories (I don't think so but I'm not sure, hence this ping)

There are none in jenkinsci, so read access everywhere is fine.

timja commented 1 year ago

Approved for all repositories

image
lemeurherve commented 1 year ago

Thanks @daniel-beck & @timja, closing this issue.

alecharp commented 1 year ago

Thank you all for your help on this !