1422402 - Assess use of external addon Bors in Mozilla's GitHub organization Mozilla

Status: RESOLVED FIXED

(mozilla.org :: Github: Administration, task)

Description

[Michael Cooper [:mythmon]]

I want to use the bors addon in Mozilla for the following reasons:

Increased code reliability by keeping an "evergreen" master branch, which is automatically kept in a passing state by only merging PRs that pass CI when merged with the existing code. See https://bors.tech/ for more details.


Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
I want this on mozilla/normandy, though it may be useful to provide it for other repos as well.

** Are any of those repositories private?
No

** Provide link to vendor's description of permissions needed and why
This description does not exist. The addon's site is https://bors.tech/

Comment 1

[hwine]

I've enabled this for normandy. For GitHub apps, we enable on a per repository basis. Please file additional requests for enabling on other repos.

Comment 2

[Michael Cooper [:mythmon]]

I see bors installed on normandy, but I can't configure it isn't usable. I've tried the bors dashboard at https://app.bors.tech/, and Github's configuration at https://github.com/organizations/mozilla/settings/installations/72222.

I need access to the bors dashboard to manage reviewers and watch progress of the integration.

Is there anything you can do to help here? Or should I contact the bors developers? Are there any other Mozilla repos using bors I could refer to?

Comment 3

[Michael Cooper [:mythmon]]

As a concrete example, neither I or Rehan have permission to use bors on this PR: https://github.com/mozilla/normandy/pull/1146#issuecomment-349746006. We both have admin permissions on the repo, and both will need be able to interact with bors for this to work out.

Maybe you could click the links in the PR to give us (or at least) me access to be a reviewer? From there I think I'd be able to add other reviewers as needed in the future.

Comment 4

[hwine]

This sort of issue is one you'll need to take up with the bors team. There is only an "on/off" switch on our side. That is now "on" as shown by bot activity on the PR.

GitHub Apps grant no magic permission to owners -- we're just the only ones who can flip the switch. Everything else will be based on your connection to the bors dashboard.

Comment 5

[Michael Cooper [:mythmon]]

According to this article on the bors forum, the initial state is for whoever installed the integration to have sole review access. https://forum.bors.tech/t/adding-new-reviewers-to-a-repository/73

According to those docs, you should have access to this page, on which you can add further reviewers for normandy. https://app.bors.tech/repositories/1262/settings

Comment 6

[hwine]

Mike -- I think we're hitting a terminology barrier here. (If it really is a technical barrier, we will probably disallow this app for security reasons.)

As I read the bors docs, there are 3 steps to using bors on a repo:
 a) add a bunch of files to the repo
 b) enable the bors GitHub app for the repo
 c) install the repo into the bors system

(c) is done by a repository admin logging into the bors dashboard[1], then navigating to the repo and clicking there (I assume).

My guess is you have not done step (c). When you log into the dashboard, you give bors the indicated scopes to your GitHub account (via OAuth), and it can do any of those as you, anywhere on GitHub, at anytime until you revoke the access.

If an organization owner is required to do step (c), we'll deny the app until a security assessment of the app can be performed. It's asking for some permissions that are new, and we haven't evaluated yet.

I hope that explains it, and that my guess is correct. If not, please follow up with :gene (cc'd) -- I've already reached out to him about this new permission. (I'll be on PTO the rest of the week.)

[1] https://app.bors.tech/

Comment 7

[Michael Cooper [:mythmon]]

Those 3 steps are accurate. and from bors's point of view have been done. This can be seen because the link I provided in comment 5 [0] exists, and has data from the normandy repository. The integration is added to the repository, and it is active. There is a "hidden" step (d), however.

Upon being set up for a repository, bors grants review permission to whoever set up the integration. In future versions of bors, setting it up on a repo will *also* grant review permission to repo admins, but that didn't happen for us. This happened, and according to bors's author [1] the Github account moz-hwine has sole review permission for the repository mozilla/normandy. Bors does not use Github's permissions at this point, but maintains a separate set of users that have permission to interact with the service.

If I attempt to do step (c) from above, I can only grant access to repos that I directly own or are owned by orgs that I have admin writes on.

For this integration to be useful, it either needs to be removed and re-added (so that the new feature will grant more users permissions), or the Github user moz-hwine needs to log into the bors interface via oauth and grant review permissions to additional users. This is what the maintainer of bors has told us, in [1].

[0]: https://app.bors.tech/repositories/1262/settings
[1]: https://github.com/mozilla/normandy/pull/1146#issuecomment-349781904

Comment 8

[Michael Cooper [:mythmon]]

notriddle, the maintainer of bors, has fixed the permissions on bors for the normandy repo, and now everything is working fine.

Comment 9

[hwine]

:mythmon - thanks for the comprehensive update!