docker-tools icon indicating copy to clipboard operation
docker-tools copied to clipboard
verified publisher icon dotnet

Add option to publish image-info using GitHub App installation auth rather than account PAT

Open dagood opened this issue 9 months ago • 4 comments

Policies around bot accounts and PATs are changing, and for the Microsoft build of Go, we're migrating to GitHub Apps.

For our Go infra tasks, what this looks like is moving to either accept a user PAT or app client id + installation + private key (cert).

Has this been considered for docker-tools image-info updates?

If the plan is to keep using an account indefinitely, I think we could work around this without diverging eng/common by disabling built-in image-info publish and adding another stage that runs our own code to do the publish.

dagood avatar Mar 10 '25 20:03 dagood

Related: https://github.com/dotnet/dotnet-docker-internal/issues/7468

lbussell avatar Mar 10 '25 20:03 lbussell

To give more context - we aren't prioritizing migrating our bot right now, but I'd be happy to accept contributions in this space if we can agree on a solution. Splitting up the generating and publishing of ImageArtifactDetails files doesn't sound like a bad idea to me.

If we were to build-in support for GitHub apps, the biggest thing to consider is that GH Apps can't own forks. So it's important for branch protection policies to be in place so they can't push directly to important branches (main, nightly in our case). That doesn't really apply to publishing image-info, so perhaps we don't even need many changes to support your scenario.

lbussell avatar Mar 11 '25 15:03 lbussell

@gdams is planning to take a look at this and figure out if it makes sense for us to try to contribute to the .NET code or go with the new-stage approach. (Our internal tracking issue: https://github.com/microsoft/go-lab/issues/183.)

If we were to build-in support for GitHub apps, the biggest thing to consider is that GH Apps can't own forks. So it's important for branch protection policies to be in place so they can't push directly to important branches (main, nightly in our case).

Yeah, we're facing this dilemma for our Azure Linux PR automation, which is maybe more contentious because we don't own the repo. (At least, I think it should be contentious. 😄) Perhaps we still need to have a bot account to host the fork, but all automation goes through the app, installed on the fork/user, rather than a PAT. I'm not 100% sure the app permission model allows for all of this, though.

But also yes, image-info updates are direct pushes to repos we own (and I don't see an issue with this), so it's only something to consider for migrating other bot-driven stuff.

dagood avatar Mar 12 '25 17:03 dagood

[Triage] @gdams or @dagood, please provide an update when you figure out if it makes sense to contribute to the .NET code for your situation. I've assigned the issue accordingly.

lbussell avatar Mar 17 '25 18:03 lbussell

Complete with https://github.com/dotnet/docker-tools/pull/1663

lbussell avatar Apr 14 '25 14:04 lbussell