REQUEST: Generate a new GITHUB_TOKEN for Prow tasks running on the GitHub Project Beta board.

[Priyankasaggu11929]

The Kubernetes Release Team Enhancements sub-project is attempting to move away from using a Google Spreadsheet (as is presently done) and towards a more GitHub friendly solution for tracking KEP/enhancements that are opted-in during a Kubernetes release cycle.

The team proposes using a Periodic prow job executing a script that will be introduced as part of this PR kubernetes/sig-release#1968 to input and sync data into an Enhancements GitHub Project Beta board.

The script uses GitHub CLI to do the necessary tasks and expects a GITHUB_TOKEN Env variable available in the Prow Job container with the following appropriate permissions (for authentication):

• repo:
  • public_repo: Access public repositories
• write:org: Read and write org and team membership, read and write org projects
• read:org: Read org and team membership, read org projects
• project: Full control of projects
  • read:project Read access of projects

This issue is to track the creation of the requested GITHUB_TOKEN and add it to one of the prow build clusters.

cc: @ameukam @palnabarun @mrbobbytables

[ameukam]

/transfer org

[ameukam]

You can reuse the Github token stored as secret k8s-triage-robot-github-token in the GKE cluster `k8s-infra-prow-build-trusted.

@cblecker WDYT ? it's currently used for triage : https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-contribex-k8s-triage-robot.yaml.

[cici37]

/cc

[Priyankasaggu11929]

Thanks @ameukam. I'll go ahead with using the k8s-triage-robot-github-token token for the prow job, once @cblecker confirms. :)

[Priyankasaggu11929]

Taking it as no objection on using the token k8s-triage-robot-github-token for the periodic runs of automation script for Release Team Enhancements tracking GitHub boards. Thank you!

[rhockenbury]

@ameukam - We have tried to use the token k8s-triage-robot-github-token but that token does not have the correct scopes to interact with Github project boards. We need a token that also has the project scope.

For reference - Here's the full error message, the current job configuration, and the enhancement sync script.

Can we (1) modify the scope for k8s-triage-robot-github-token or (2) generate a new token with the requested scopes?

[ameukam]

@ameukam - We have tried to use the token k8s-triage-robot-github-token but that token does not have the correct scopes to interact with Github project boards. We need a token that also has the project scope.

For reference - Here's the full error message, the current job configuration, and the enhancement sync script.

Can we (1) modify the scope for k8s-triage-robot-github-token or (2) generate a new token with the requested scopes?

Option (2) seems like the logical path for this use case. I'll try to generate a new token with the required scopes. Is it possible to get the full of permissions required for this token ?

[rhockenbury]

Thanks. I tested the permissions. The token needs to have public_repo and project.

[rhockenbury]

@ameukam ^ Gentle bump. Do you have a rough idea of the timeline for getting that new token?

[leonardpahlke]

/cc

[ameukam]

@ameukam ^ Gentle bump. Do you have a rough idea of the timeline for getting that new token?

@rhockenbury Somehow I missed your comments, I'll try to get this done as soon I have some time.

[ameukam]

Created the token and it will be synced to the build cluster as k8s-release-enhancements-triage-github-token: https://github.com/kubernetes/k8s.io/pull/4259.

@rhockenbury @Priyankasaggu11929 we should update the ProwJob to use the new secret.

[Priyankasaggu11929]

Thanks so much for the help, @ameukam.

Raised a PR to update the ProwJob to use the new secret - https://github.com/kubernetes/test-infra/pull/27607

[Priyankasaggu11929]

Just an update: despite the new secret and GITHUB TOKEN, the job still failed.

Arnaud and I will get on a call, next week and manually test in with a new GITHUB TOKEN before reinstating the job.

cc: @rhockenbury @leonardpahlke

[leonardpahlke]

OK! If there is anything I can help with, please let me know. :)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[palnabarun]

/remove-lifecycle stale

[palnabarun]

@Priyankasaggu11929 -- were you able to get on a call and debug this?

@ameukam (when you are back from PTO) -- which account did you create the token for? and are the permissions as mentioned in https://github.com/kubernetes/org/issues/3558#issuecomment-1246822871 ?

[Priyankasaggu11929]

The Prow job with bad credentials has not yet been fixed despite many attempts by @ameukam and myself to test with various GH PAT tokens.

The SIG Release leads have agreed to use GitHub Actions Workflow as the latest update on automating the Enhancements board, as discussed in this slack conversation.

The bug-triage team also has a similar workflow, so it may be useful to adopt a similar approach for automating Enhancements tracking board too.

With that, it seems ok to close this issue for now and reopen if needed in the future.

/close

[k8s-ci-robot]

@Priyankasaggu11929: Closing this issue.

In response to [this](https://github.com/kubernetes/org/issues/3558#issuecomment-1373250662): >The Prow job with bad credentials has not yet been fixed despite many attempts by @ameukam and myself to test with various GH PAT tokens. > >The SIG Release leads have agreed to use GitHub Actions Workflow as the latest update on automating the Enhancements board, as discussed in [this slack conversation](https://kubernetes.slack.com/archives/C2C40FMNF/p1667447493240069). > >The bug-triage team also has [a similar workflow](https://kubernetes.slack.com/archives/C2C40FMNF/p1670847344108339?thread_ts=1670846775.131279&cid=C2C40FMNF), so it may be useful to adopt a similar approach for automating Enhancements tracking board too. > >With that, it seems ok to close this issue for now and reopen if needed in the future. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[ameukam]

@Priyankasaggu11929 -- were you able to get on a call and debug this?

@ameukam (when you are back from PTO) -- which account did you create the token for? and are the permissions as mentioned in #3558 (comment) ?

Token was created from @k8s-infra-ci-robot but revoked as mentioned in https://github.com/kubernetes/org/issues/3558#issuecomment-1373250662.