org icon indicating copy to clipboard operation
org copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

REQUEST: Generate a new GITHUB_TOKEN for Prow tasks running on the GitHub Project Beta board.

Open Priyankasaggu11929 opened this issue 2 years ago • 15 comments

The Kubernetes Release Team Enhancements sub-project is attempting to move away from using a Google Spreadsheet (as is presently done) and towards a more GitHub friendly solution for tracking KEP/enhancements that are opted-in during a Kubernetes release cycle.

The team proposes using a Periodic prow job executing a script that will be introduced as part of this PR kubernetes/sig-release#1968 to input and sync data into an Enhancements GitHub Project Beta board.

The script uses GitHub CLI to do the necessary tasks and expects a GITHUB_TOKEN Env variable available in the Prow Job container with the following appropriate permissions (for authentication):

  • repo:
    • public_repo: Access public repositories
  • write:org: Read and write org and team membership, read and write org projects
  • read:org: Read org and team membership, read org projects
  • project: Full control of projects
    • read:project Read access of projects

This issue is to track the creation of the requested GITHUB_TOKEN and add it to one of the prow build clusters.

cc: @ameukam @palnabarun @mrbobbytables

Priyankasaggu11929 avatar Jul 14 '22 13:07 Priyankasaggu11929

/transfer org

ameukam avatar Jul 14 '22 14:07 ameukam

You can reuse the Github token stored as secret k8s-triage-robot-github-token in the GKE cluster `k8s-infra-prow-build-trusted.

@cblecker WDYT ? it's currently used for triage : https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-contribex-k8s-triage-robot.yaml.

ameukam avatar Jul 25 '22 12:07 ameukam

/cc

cici37 avatar Jul 25 '22 20:07 cici37

Thanks @ameukam. I'll go ahead with using the k8s-triage-robot-github-token token for the prow job, once @cblecker confirms. :)

Priyankasaggu11929 avatar Jul 26 '22 04:07 Priyankasaggu11929

Taking it as no objection on using the token k8s-triage-robot-github-token for the periodic runs of automation script for Release Team Enhancements tracking GitHub boards. Thank you!

Priyankasaggu11929 avatar Sep 09 '22 14:09 Priyankasaggu11929

@ameukam - We have tried to use the token k8s-triage-robot-github-token but that token does not have the correct scopes to interact with Github project boards. We need a token that also has the project scope.

For reference - Here's the full error message, the current job configuration, and the enhancement sync script.

Can we (1) modify the scope for k8s-triage-robot-github-token or (2) generate a new token with the requested scopes?

rhockenbury avatar Sep 14 '22 03:09 rhockenbury

@ameukam - We have tried to use the token k8s-triage-robot-github-token but that token does not have the correct scopes to interact with Github project boards. We need a token that also has the project scope.

For reference - Here's the full error message, the current job configuration, and the enhancement sync script.

Can we (1) modify the scope for k8s-triage-robot-github-token or (2) generate a new token with the requested scopes?

Option (2) seems like the logical path for this use case. I'll try to generate a new token with the required scopes. Is it possible to get the full of permissions required for this token ?

ameukam avatar Sep 14 '22 11:09 ameukam

Thanks. I tested the permissions. The token needs to have public_repo and project.

rhockenbury avatar Sep 14 '22 14:09 rhockenbury

@ameukam ^ Gentle bump. Do you have a rough idea of the timeline for getting that new token?

rhockenbury avatar Sep 18 '22 18:09 rhockenbury

/cc

leonardpahlke avatar Sep 20 '22 08:09 leonardpahlke

@ameukam ^ Gentle bump. Do you have a rough idea of the timeline for getting that new token?

@rhockenbury Somehow I missed your comments, I'll try to get this done as soon I have some time.

ameukam avatar Sep 21 '22 16:09 ameukam

Created the token and it will be synced to the build cluster as k8s-release-enhancements-triage-github-token: https://github.com/kubernetes/k8s.io/pull/4259.

@rhockenbury @Priyankasaggu11929 we should update the ProwJob to use the new secret.

ameukam avatar Sep 23 '22 09:09 ameukam

Thanks so much for the help, @ameukam.

Raised a PR to update the ProwJob to use the new secret - https://github.com/kubernetes/test-infra/pull/27607

Priyankasaggu11929 avatar Sep 23 '22 10:09 Priyankasaggu11929

Just an update: despite the new secret and GITHUB TOKEN, the job still failed.

Arnaud and I will get on a call, next week and manually test in with a new GITHUB TOKEN before reinstating the job.

cc: @rhockenbury @leonardpahlke

Priyankasaggu11929 avatar Sep 28 '22 06:09 Priyankasaggu11929

OK! If there is anything I can help with, please let me know. :)

leonardpahlke avatar Sep 28 '22 10:09 leonardpahlke

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Dec 27 '22 11:12 k8s-triage-robot

/remove-lifecycle stale

palnabarun avatar Jan 06 '23 03:01 palnabarun

@Priyankasaggu11929 -- were you able to get on a call and debug this?

@ameukam (when you are back from PTO) -- which account did you create the token for? and are the permissions as mentioned in https://github.com/kubernetes/org/issues/3558#issuecomment-1246822871 ?

palnabarun avatar Jan 06 '23 03:01 palnabarun

The Prow job with bad credentials has not yet been fixed despite many attempts by @ameukam and myself to test with various GH PAT tokens.

The SIG Release leads have agreed to use GitHub Actions Workflow as the latest update on automating the Enhancements board, as discussed in this slack conversation.

The bug-triage team also has a similar workflow, so it may be useful to adopt a similar approach for automating Enhancements tracking board too.

With that, it seems ok to close this issue for now and reopen if needed in the future.

/close

Priyankasaggu11929 avatar Jan 06 '23 07:01 Priyankasaggu11929

@Priyankasaggu11929: Closing this issue.

In response to this:

The Prow job with bad credentials has not yet been fixed despite many attempts by @ameukam and myself to test with various GH PAT tokens.

The SIG Release leads have agreed to use GitHub Actions Workflow as the latest update on automating the Enhancements board, as discussed in this slack conversation.

The bug-triage team also has a similar workflow, so it may be useful to adopt a similar approach for automating Enhancements tracking board too.

With that, it seems ok to close this issue for now and reopen if needed in the future.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jan 06 '23 07:01 k8s-ci-robot

@Priyankasaggu11929 -- were you able to get on a call and debug this?

@ameukam (when you are back from PTO) -- which account did you create the token for? and are the permissions as mentioned in #3558 (comment) ?

Token was created from @k8s-infra-ci-robot but revoked as mentioned in https://github.com/kubernetes/org/issues/3558#issuecomment-1373250662.

ameukam avatar Jan 11 '23 11:01 ameukam