backstage
ci: add workflow for team sync
Triggers a sync when a TEAMS yml file is updated.
Note that this would rely on GITHUB_TOKEN: ${{ secrets.GH_TEAM_SYNC_TOKEN }} being created with appropriate permission to manage teams. I couldn't find a token/app used elsewhere with these permissions - but, it might be good to have a fine-grained scope for this token anyway?
@BethGriggs did you verify that the current credentials don't work? I had a look at the token scopes and as far as I could find it's a classic token with org:write scope, which I think should be enough. Should we ship this and see if it works? 🤞
Sorry, I am not sure I am following the last comment. Is the implication that secrets.GH_TEAM_SYNC_TOKEN already exists with the correct scope or is there another existing token I should use in the workflow (maybe secrets.GITHUB_TOKEN)?
Either way, the workflow is pretty minimal is it should good to ship, I think we just need to know which named secret it should use.
Ah yes ofc, was assuming that this was using the existing secret for some reason but a separate one is better for sure. GH_TEAM_SYNC_TOKEN now exists in this repo with a more narrow scope.
Ah, realized this very much won't work though since the service account doesn't have access to add and remove team members. Thinking we might need to use an app for this instead? 🤔 Not to happy having an org owner token in there either
Hmm, do you know if that involve refactoring the script to use an app, as described in the GitHub docs - Authenticating as a GitHub app?
Yep, as far as I can tell. I've created an app and installed it and added the following secrets to this repo with corresponding values:
BACKSTAGE_ORG_MANAGER_APPLICATION_IDBACKSTAGE_ORG_MANAGER_INSTALLATION_IDBACKSTAGE_ORG_MANAGER_PRIVATE_KEY
Here's another place where we set up auth in workflows using app credentials: https://github.com/backstage/actions/blob/b3c1841fd69e1658ac631afafd0fb140a2309024/lib/createAppClient.ts#L3