core
core copied to clipboard
dotCMS
Create GH User for CI/CD
Parent Issue
No response
Task
There's a need for a new GH User to be used to run the different GH actions on the CICD pipeline.
It will need a PAT with limited scope, including pushing to master. This one the CICD_GITHUB_TOKEN can go away.
Proposed Objective
Core Features
Proposed Priority
Priority 2 - Important
Acceptance Criteria
- New GH User for CICD created
- User has a PAT with the proper limited scope, including pushing to master.
-
CICD_GITHUB_TOKENis removed
External Links... Slack Conversations, Support Tickets, Figma Designs, etc.
No response
Assumptions & Initiation Needs
No response
Quality Assurance Notes & Workarounds
No response
Sub-Tasks & Estimates
No response
Ok folks, here's the plan. I spoke with Cloud Eng and they're good with the general approach.
- [x] I've opened up an access request ticket in zendesk so that I can get access to Keeper. It's a password database that allows for secure sharing.
- [x] I created a new google group that will act as the email address for the machine user. I used a google group because it survives past any single employee and allows for us to scale past a single person to get notification
- [x] Create a new github user tied to the google group email address
[email protected]and store the credentials in Keeper - [x] Setup MFA for github bot account
- [x] Add the new machine user to our dotCMS github org
- [x] Give dotCMS Machine User
Writeaccess to the core repo - [x] Mint a new PAT from the new machine user account
- [x] Create new repo secrets to use new PATs
Keep in mind that when we remove all existing PAT it will affect LTS as well
Keep in mind that when we remove all existing PAT it will affect LTS as well
Oh good point @erickgonzalez . So the existing ones would work till we nuked victors old PATs. But I should add that to the scope of this ticket.
As for making sure things keep working... What's the playbook to update the LTS pipelines? Are they just more places in the yaml on master? Or do I have to go into a specific branch and put up a PR there?
- [x] Add the new machine user to our dotCMS github org
Note on this one that I just added to the org. I did not add to any existing group because none stood out as an obvious fit
We created new secrets in core repo
-
CI_MACHINE_USER -
CI_MACHINE_TOKEN
All set... A few notes here
FYI @cobbg and @mbiuki
- Key rotation should be easy (just update the
CI_MACHINE_TOKENvalue and voilà, but it's not automated so rotation will be manual at this point in time - The credentials, MFA, and PAT for the github account are stored in Keeper under the
GitHub Machine Userfolder. All of the cloud engineering team has access to it. You can ask them for help if you need to get into the account for whatever reason. - Scope of the PAT was limited to
repo:status,repo_deployment, andpublic_repo - We granted the machine user
Writerrole to the core repo.
Keep in mind that when we remove all existing PAT it will affect LTS as well
Oh good point @erickgonzalez . So the existing ones would work till we nuked victors old PATs. But I should add that to the scope of this ticket.
As for making sure things keep working... What's the playbook to update the LTS pipelines? Are they just more places in the yaml on
master? Or do I have to go into a specific branch and put up a PR there?
I think @victoralfaro-dotcms is the one can answer this better
Also added secrets to plugin-seeds repo by slack request from @victoralfaro-dotcms and @dsilvam
- CI_MACHINE_USER
- CI_MACHINE_TOKEN
NOTE
Used the same values for user and token as I did with core since it's for the same use
added workflow permission to the existing token by @victoralfaro-dotcms's request