build icon indicating copy to clipboard operation
build copied to clipboard

Published 20 hours ago verified publisher icon shipwright-io

Create private repository for source clone tests

Open adambkaplan opened this issue 4 years ago • 6 comments

Cloning source code from private git repositories is a critical feature. Our end to end test suite needs to ensure that we are able to clone source from git using supported credentials to the furthest extent we can.

To that end, we need the following:

  1. A private repository in the shipwright-io organization that can be used to run a build.
  2. A bot/test user account with credentials under the control of project maintainers, and with permission to clone source code from this private repository.
  3. Add secrets to our CI jobs which contain credentials for the bot account.

adambkaplan avatar Mar 23 '21 13:03 adambkaplan

@mattcui fyi

qu1queee avatar Mar 23 '21 13:03 qu1queee

I changed the private sample repo name to sample-nodejs-private, copied some nodejs code from sample-nodejs public repo. For credential to access this private repo, as suggested by @SaschaSchwarze0 , I used the deploy key rather than a user/bot account, so that it's easy to control the access/security. I am working on the PR -> https://github.com/shipwright-io/build/pull/693

mattcui avatar Mar 29 '21 12:03 mattcui

To address this requirement, I listed all tasks we should do below:

  • [x] create a private github repo
  • [x] copy nodejs sample code into this private repo
  • [x] create a pair of ssh keys, set the public key in the private repo as deploy key
  • [x] set the private in build repo as a secret
  • [x] Add code logic to create sshkey secret in workflow ci.yml file
  • [x] create build/buildrun yaml files to build the image from private repo
  • [x] update e2e_test.go to add a test case to run build/buildrun defined in the abov e step
  • [x] cleanup all build/buildrun yaml files from test/data which were never used
  • [x] create a feature branch from master in shipwright.io/build - @qu1queee
  • [x] push the code into the feature branch to test the code, as the secret can't be access from forked repo
  • [x] fully test and review/merge pr

@qu1queee Please help create a feature branch from master, thanks.

mattcui avatar Mar 30 '21 06:03 mattcui

PR https://github.com/shipwright-io/build/pull/722 is ready for review.

mattcui avatar Apr 08 '21 12:04 mattcui

Status update here:

  1. We have private git repositories configured for Shipwright, but unfortunately we can't fully use these to test in GitHub actions because the credentials needed are not available in pull requests.
  2. @blairdrummond has made some headway in #849 to deploy a private git server to KIND, which can then be used as a place to clone source using an ephemeral ssh key.

adambkaplan avatar Sep 22 '21 13:09 adambkaplan

GitHub actions recently added new features that allow you to access ephemeral GitHub tokens with narrowly scoped permissions. In theory we can use this to obtain a token that has permissions to pull from private repositories associated with this org, with no need for dedicated "robot accounts" with permanent credentials.

adambkaplan avatar Jan 26 '22 14:01 adambkaplan