Open Bug 1942927 Opened 18 days ago Updated 2 days ago

New Github App Creation in mozilla-it

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

People

(Reporter: amitchell, Unassigned, NeedInfo)

Details

Hello,
I'd like to request the creation of a new github app in the mozilla-it github org. The purpose of this app is to give us a user that can bypass required PR approvals to auto-merge no-op dependabot PRs (like https://github.com/mozilla-it/sandbox-infra/pull/538). Related Jira ticket - https://mozilla-hub.atlassian.net/browse/OPST-1462.

Details:
App Name: Dependabot Automerger (or something like that if that's taken)
Permissions: contents: read-write, pull requests: read
Repos to install the app in: https://github.com/mozilla-it/sandbox-infra/
Keys: One private key named SANDBOX_DEPENDABOT_AUTOMERGE_KEY - this needs to end up as a repo secret in https://github.com/mozilla-it/sandbox-infra/ (or put it in 1pass and I can add it).
Webhook/Callbacks: N/A, this app is just to provide permissions for a github action

We'll eventually want to make more keys & install this in another 5-6 repos, but that's far enough out that I'll make a new ticket when we need it.

I followed https://mozilla-hub.atlassian.net/wiki/spaces/GHE/pages/13664306/Custom+App+Installation+requests to make this, but LMK if you need more information or approvals.

Thanks!

Has this app been through an RRA yet?

And since this is applying to a private repo, this needs security perusal. Clovis - let us know any additional questions, and approval if so desired.

Once we know about the RRA and security's approval, we can get started creating that for you. (alternatively, you can create it in your account, and get it set just-so, and once we have approvals, we can transfer it into mozilla-it and apply to the requested repo)

Let us know if you have any quesitons.

Flags: needinfo?(cfoji)

I wasn't sure if RRA was required here since the app itself doesn't do anything (it's just here to provide permissions to our github actions). If we need an RRA I can start that process now.

Yeah, current practice is to have an RRA - I know that several others like this have had one.

Gotcha - I've filed the RRA, I'll come back here once that's settled.

Currently working on scheduling RRA meeting to review this

Extra context that came up in the RRA - the full list of repos we'd eventually want to roll this out to is:
https://github.com/mozilla-it/global-platform-admin/
https://github.com/mozilla-it/sandbox-infra/
https://github.com/mozilla-it/webservices-infra/
https://github.com/mozilla/security-infra/ (I know this isn't in the moz-it org; if we need to do a separate app over there we can)

Once you have the approvals - feel free to create the app (as public, so it can be installed in multiple orgs) ... then you'll want to get sign off from any repo admins (if you're not a repo admin) and then you can transfer it to the mozilla org and we can install the app.

Flags: needinfo?(amitchell)

RRA completed and App installed is now approved for the Repos in scope. I will add it to the list of approved Apps for the repos in scope once the App has been created
https://docs.google.com/document/d/14NK7cR3UsnkADZ3Q9MyFl_N7wLYj3OjF7KnRhqQig4Y/edit?usp=sharing

Flags: needinfo?(cfoji)
You need to log in before you can comment on or make changes to this bug.