Q: Github App, required permissions

[bongardino]

Documentation for using a Github App doesn't include what permissions are required for the App itself. Its a much different set of scopes than the Github user

Is there a configuration guide for this, or does anyone know what scopes / permissions are required for baseline Atlantis config for a repo via Github App? Bonus points if they support the PR approval workflow

also, thankyou!

[jeff-clearcover]

We also ran into this and it was a bit unclear ... we were missing the Organization level Members & Webhooks (may be unneeded but made it match the repo level) permissions and it wasn't setup by default when creating the app. We require the PR's approval for atlantis apply.

Is it possible that Organization level webhooks' permissions are not required?

Here are screenshots of what we have to make things work as expected:

Repository permissions

Organization permissions

User permissions

Subscribe to events

I hope this helps @bongardino and I agree there needs to be better documentation for the Github App config.

[kangman]

@jeff-clearcover thanks for that config info. I am stuck simply getting the webhook yaml config to work. I'm not sure where in my repo atlantis.yaml config i should place that block. I've tried putting it within the project or at top or within a workflow and getting various errors. Even tried to do it on the server side config yaml with no luck. How does it actually look in relation to working atlantis.yaml repo config is basically my question.

[bongardino]

@jeff-clearcover thanks! this is useful - we ended up with a similar set of repo permissions / webhook settings. No User or Org permissions were needed, and we require approval and mergable. Do you know what required R/W for Contents in your setup?

Sharing for posterity.

---

Actions RO is also not required, we're just testing something.

[kangman]

@bongardino can i posit my question to you as well, i'm a bit confused as to where the webhook config should be placed in my repo atlantis.yaml config. I see the documentation here.

config snippet

webhooks:
- event: apply
  workspace-regex: .*
  kind: slack
  channel: my-channel

but i've tried to place in my repo's atlantis.yaml file

version: 3
automerge: true
delete_source_branch_on_merge: true
projects:
  - name: test1
    dir: .
    workspace: default
    workflow: dev-wf
  - name: test2
    dir: 
    workspace: default
    delete_source_branch_on_merge: true
    autoplan:
      when_modified: ["*.tf", "*.tfvars"]
      enabled: true
    apply_requirements: [mergeable, approved]
    workflow: stage-wf
webhooks:
- event: apply
  workspace-regex: .*
  kind: slack
  channel: my-channel
workflows:
  dev-wf:
    plan:
      steps:
        - init
        - plan

[bongardino]

@kangman sorry! haven't tried webhooks yet, and it looks like you already found the PR page for the docs so I've got nothing useful 🤷‍♂️

[rafi-fisker]

I'm in the same boat, webhooks does not seem to work

[npwolf]

FWIW I also had trouble with this. I was able to get pr comments triggering atlantis, but not commits (autoplan). Here is what I ended up with which finally got autoplan working: