jaskaransarkaria
commented
2 weeks ago note: the app also needs a permissions update to allow the labels to be added to newly created issues
Open sj-williams opened 3 weeks ago
jaskaransarkaria
commented
2 weeks ago note: the app also needs a permissions update to allow the labels to be added to newly created issues
Background
We had an issue 20/06/24 with the
github_actions_secrets_token, in which the token no longer worked and any environments apply runs that invoked GitHub resources would fail on403 resource not accessible by integrationerrors.The token is created and managed within our GitHub App : Cloud Platform Concourse, which does define permissions for the token; however it is apparent that the permissions are inherited from the user who ran the token generating script. The original token was created by Poornima (who had organisation
ownerlevel permissions), thus had the ability to read/write vars and secrets in org repos. When her GH user was offboarded, the token & its permissions became invalid.We resolved this by having the other CP team member with org
ownerpermissions re-generate another new token.We need to either:
find a way to ensure permissions of Concourse App generated tokens can be reliably created by any member of CP
find out if the
concourse-botGitHub user can be set with the necessary permissions so that we have a machine user to prevent similar events in the future.