backstage
copilot: Add an extension point for credentials resolution
#1244
Hey, I just made a Pull Request!
#1244
Added in an extension point for the copilot backend plugin to allow for custom resolution of credentials for the GitHub Enterprise Copilot API
:heavy_check_mark: Checklist
- [x] A changeset describing the change and affected packages. (more info)
- [x] Added or updated documentation
- [ ] Tests for new functionality and regression tests for bug fixes
- [ ] Screenshots attached (for UI changes)
- [x] All your commits have a
Signed-off-byline in the message. (more info)
Changed Packages
| Package Name | Package Path | Changeset Bump | Current Version |
|---|---|---|---|
| @backstage-community/plugin-copilot-backend | workspaces/copilot/plugins/copilot-backend | minor | v0.1.4 |
![backstage-goalie[bot] avatar](https://avatars.githubusercontent.com/u/72526453?v=4 "Published by a pub.dev verified publisher"){kind=small}
@vinzscam that is a lot of work to a core API just to get this plugin to work.
Some of the content in https://github.com/backstage/community-plugins/pull/1261 may be able to work correctly with this configuration. But certainly not for enterprise APIs.
The token required for the enterprise APIS is very powerful with enterprise level permissions over potentially dozens of organisations. It could very well be that lots of organisations want to keep that safe in some external store rather than in the backend config.
@vinzscam where do we go from here?
Should I change this PR so that the plugin uses its own config? Add a default implementation of this extension that allows to access that config? Something else?
At the moment I don't think this plugin is usable for people who use GitHub Apps to authenticate in the integrations section.
The original author of this plugin does not use GH in backstage for anything other than accessing these metrics so they were not to know that this would not work for most users.
@vinzscam where do we go from here?
Should I change this PR so that the plugin uses its own config? Add a default implementation of this extension that allows to access that config? Something else?
At the moment I don't think this plugin is usable for people who use GitHub Apps to authenticate in the integrations section.
The original author of this plugin does not use GH in backstage for anything other than accessing these metrics so they were not to know that this would not work for most users.
sorry @ScottGuymer just some clarifications to better understanding the problem 😅
Does the Copilot plugin work if you define your GitHub app in the integrations as described here and properly configure copilot.host
in the app-config to select the correct integration? Or are there some technical issues that prevent this from working?
No it does not work if you use a GH App it only works if you use a PAT token for authentication
To elaborate a bit..
It is not possible to give a GH App read:enterprise permissions so it is not possible to allow it to access the APIs needed as they require this permission.
The only way to do this is with a PAT token of a user that is an enterprise admin.
Many (most) people who use backstage with GH will do so via an app and not a PAT token.
The original creator of this plugin uses bitbucket for their source control and only uses GH for copilot. Therefor they only use a PAT in their integrations setup and do not need a GH app. This means that this setup works fine for their use case. Which is not likely for other users of backstage with GH
So what I think I will do is.
- Leave the credentials provider extension point in there
- Provide another implementation that reads directly from a
copilotsection of the config - Make the new one the default
- Expose the existing implementation as an optional way to get credentials.
The updates above have been made.
@vinzscam @awanlin I think this is ready for a review now.
This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@ScottGuymer @vinzscam Can this PR be closed now since https://github.com/backstage/community-plugins/pull/1928 which uses an alternative approach has been merged?
