search

opensafely / research-template

The template for new research projects that use the OpenSAFELY framework.
MIT License
16 stars 13 forks source link

Investigate using organisation secret for Stata License key #139

Open Jongmassey opened 1 month ago

Jongmassey commented 1 month ago

Timebox: 1/2 day

We currently require read permission to the opensafely/server-instructions repo such that OpenSAFELY CLI can contact it to get the Stata license key.

https://github.com/opensafely/research-template/blob/c083d8f010faffb9beca747be29dbb3d78cd4b17/.devcontainer/devcontainer.json#L23-L26

This was added in order to enable Stata actions to be run locally within a codespace/interactive Stata development via opensafely exec. On starting a new codespace, this configuration causes a users to be prompted to authorise access to this permission request. This has caused some confusion with new users, particularly those going through the Getting Started Guide. There is a troubleshooting codespaces entry for this prompt in the docs, but it's not front-and-centre.

It would be nice if we could remove this permission and corresponding prompt.

job-runner (which is vendored into the CLI) looks for a environment variable containing the key, and if this is not set it will try to contact the github repo in question.

https://github.com/opensafely-core/job-runner/blob/a4e9cb4a1ff57f9751b970c4f6530d95755ff6bd/jobrunner/cli/local_run.py#L336-L340

There is an opensafely organisation GitHub Action Secret (thanks, @lucyb ) which contains the stata license key which is used to enable running of Stata actions in CI.

Also available are GitHub Codespace Secrets - if we were to set an opensafely organisation codespace STATA_LICENSE secret, this would set this as an env var for all codespaces started from repos in the opensafely organisation. By setting this env var, I believe we would no longer need the cross-repository permission to be configured here.

HOWEVER

Note: Organization-level secrets and variables are not accessible by private repositories for GitHub Free. For more information about upgrading your GitHub subscription

~we might not be on the right plan for this~ I've been informed we have Github Team not Free so this should be OK

Jongmassey commented 1 month ago

@bloodearnest has pointed out to me that we'd need to update the Stata License playbook to include the codespace secret

Jongmassey commented 1 month ago

We currently don't have any organisation codespace secrets set image (thanks @lucyb for the image), we could easily set a test one to check my assumptions here

Jongmassey commented 1 month ago

image

image

Jongmassey commented 1 month ago

On my own account, I have to select which repositories have access to my user codespace secret - repositories created from this template do not inherit this

Jongmassey commented 1 month ago

@lucyb could you see if for an organisation-level codespace secret, it is still necessary to individually select which repos have access ?

Image

Thanks to @inglesp , we can see that we grant access to this secret to All Repositories, Private Repositories, or selected repositories.

Jongmassey commented 1 month ago

This seems like a viable approach. We should do a test implementation of this to check our assumptions regarding opensafely CLI, and repositories created outside of the opensafely org (by members and non-members of the org)