Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub App for Plugins Health Scoring #3294

Closed
alecharp opened this issue Dec 14, 2022 · 7 comments
Closed

GitHub App for Plugins Health Scoring #3294

alecharp opened this issue Dec 14, 2022 · 7 comments

Comments

@alecharp
Copy link

alecharp commented Dec 14, 2022

Currently, the Plugin Health Scoring project is using a GitHub Token to interact with the GitHub API.
This has multiple downsides, like rate limit, but also security wise and maintainability.

I would like to have a GitHub App created. This application would require 3 permissions:

Its ID needs to be injected in the Helm Chart value (https://github.com/jenkins-infra/helm-charts/pull/347/files#diff-e00ec7517b972514486a84b4d7b359b68cc2b98b6ba7c6f3576032be9f39dbceR59).
A private key needs to be generated and converted and then injected in the Helm Chart value (https://github.com/jenkins-infra/helm-charts/pull/347/files#diff-e00ec7517b972514486a84b4d7b359b68cc2b98b6ba7c6f3576032be9f39dbceR60).

The conversion of the key can be done using

openssl pkcs8 -topk8 -inform PEM -outform PEM -in ORIGINAL_KEY.pem -out CONVERTED_KEY.pem -nocrypt

Once the application is created, it would need to be installed on jenkinsci organization.

@github-actions
Copy link

Take a look at these similar issues to see if there isn't already a response to your problem:

  1. 75% Hosting Plugin Health Scoring application on infra  #3114

@alecharp
Copy link
Author

alecharp commented Jan 9, 2023

Hello, do you know if any progress was made on this GitHub App? Thanks.

@lemeurherve
Copy link
Member

I've created the following GitHub app: https://github.com/apps/plugins-health-scoring

I've requested its installation on all @jenkinsci repositories so we wouldn't have to make another request each time a new plugin is created:

image

But after validating this request, I've got this as response, not sure at all if the "all repositories" request has been taken in account:

image

I hope this "all repositories" request can be done, otherwise we'll have to make requests for all of them (manually?), and make new request each time a new plugin is created, which could be cumbersome.

@jenkins-infra/jenkinsci-admins can one of you could check the request?

@jenkins-infra/security WDYT about requesting this installation on all repositories? Any contraindication?
I'm thinking maybe in case there are private repositories (I don't think so but I'm not sure, hence this ping)

@daniel-beck
Copy link

I'm thinking maybe in case there are private repositories (I don't think so but I'm not sure, hence this ping)

There are none in jenkinsci, so read access everywhere is fine.

@timja
Copy link
Member

timja commented Jan 16, 2023

Approved for all repositories

image

@lemeurherve
Copy link
Member

Thanks @daniel-beck & @timja, closing this issue.

@alecharp
Copy link
Author

Thank you all for your help on this !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants