Consider creating a GitHub app for the organization #1905
Comments
|
This was the solution I was gravitating towards too, so I'll let you know how that goes when I try it.
Are you referring to anything besides the bits that failed during 2.8.5 due to the branch protection rules? |
|
Yeah, this would be just for the automatic version bump commit for now. |
|
I mentioned this on Teams, but for the sake of posterity and recording a full explanation: This isn't going to be a super great solution for our needs due to the way app permissions work. For #1985 I instead landed on using deployment keys (which are essentially just SSH keys associated with a specific repo rather than a user, and can also bypass protection rules.) TL;DR: An app would give way too much access to CI pipelines and deployment keys are simpler anyway. The main issue with the strategy of using GitHub Apps for this is that it'd essentially give every CI pipeline access to every single Bonsai repository using the app (including ones in other organizations.) GitHub Apps aren't super meant to be used from CI workflows, they're more meant to be used from a central service you maintain. (So in a CI context you'd probably call off to the Bonsai Bot service running on a separate server to perform the release actions and it'd enforce security boundaries.) Furthermore there'd be no auditability. If someone somehow compromised the CI of the Basically the blast radius if an app key leaks is way too big for my liking, and the complexity of introducing a separate service to handle this stuff just isn't something I think makes sense for us. A workaround for this would be to create a separate bot for every repo, but deployment keys are already per-repo and are much simpler to set up so we're better off just using them instead. That being said, I did create a Bonsai Bot app, so we can get that transferred to the Bonsai org in case we ever want it in the future. |
|
Closing out as the bot now belongs to the org in case we ever want it. |
Apparently one option to circumvent the problem of branch protection rules and commit actions is to create an organization GitHub application: https://github.com/orgs/community/discussions/25305#discussioncomment-8256560.
The app can then be customized with a logo and other metadata, and added to the bypass list of branch protection rulesets. Perhaps it could be an interesting way to fully automate the last stage of a deployment?
The text was updated successfully, but these errors were encountered: