community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

Convert OPENTELEMETRYBOT_GITHUB_TOKEN org secret to fine-grained PAT

Open trask opened this issue 1 year ago • 10 comments

See motivation at https://github.com/open-telemetry/community/issues/1503#issuecomment-1562214077.

I will be pinging the repos which are already using the org secret to let them know we'll be switching the org secret over to a fine-grained PAT.

Current target is to make this switch on Wed, June 28 (I'm on vacation next week so want to wait until afterwards in case any issues).

After we switch the org secret over to the fine-grained PAT, I'll revoke the old PAT.

trask avatar Jun 15 '23 01:06 trask

pinging all maintainers for repos that are using OPENTELEMETRYBOT_GITHUB_TOKEN

  • https://github.com/open-telemetry/opentelemetry-collector - @open-telemetry/collector-maintainers
  • https://github.com/open-telemetry/opentelemetry-collector-contrib - @open-telemetry/collector-contrib-maintainer
  • https://github.com/open-telemetry/opentelemetry-go - @open-telemetry/go-maintainers
  • https://github.com/open-telemetry/opentelemetry-go-build-tools - @open-telemetry/go-maintainers
  • https://github.com/open-telemetry/opentelemetry-go-contrib - @open-telemetry/go-maintainers
  • https://github.com/open-telemetry/opentelemetry-operator - @open-telemetry/operator-maintainers
  • https://github.com/open-telemetry/opentelemetry-python - @open-telemetry/python-maintainers
  • https://github.com/open-telemetry/opentelemetry-python-contrib - @open-telemetry/opentelemetry-python-contrib-maintainers
  • https://github.com/open-telemetry/opentelemetry.io - @open-telemetry/docs-maintainers
  • https://github.com/open-telemetry/experimental-arrow-collector - @open-telemetry/collector-maintainers

so far, the fine-grained token has only the permissions in the screenshot below.

this has been enough for the Java repos, but we aren't using @opentelemetrybot to update issues, so if you have any automation that requires updating issue (or anything else besides creating/updating PRs) let me know

image

trask avatar Jun 15 '23 02:06 trask

@trask thanks for letting us know.

In the operator repo we use the bot to sync some 3rd party GH repos and open PRs (similar to what is done in the java auto-instrumentation to submit PRs to the operator repo). Will that continue to work?

  • https://github.com/open-telemetry/opentelemetry-operator/blob/80dd330bb0dd3990061738a104dad7e21994408b/.github/workflows/reusable-operator-hub-release.yaml#L35
  • https://github.com/open-telemetry/opentelemetry-operator/blob/80dd330bb0dd3990061738a104dad7e21994408b/.github/workflows/reusable-operator-hub-release.yaml#L85

pavolloffay avatar Jun 15 '23 16:06 pavolloffay

After looking at the use of this token in the collector & collector-contrib repos, i believe the workflows will continue to work for those repos with the fine grained PAT.

codeboten avatar Jun 16 '23 22:06 codeboten

Should be OK for:

  • https://github.com/open-telemetry/opentelemetry-go
  • https://github.com/open-telemetry/opentelemetry-go-build-tools
  • https://github.com/open-telemetry/opentelemetry-go-contrib

pellared avatar Jun 20 '23 10:06 pellared

@pavolloffay I think you will need more access for that usage.

I've created a separate fine-grained PAT that I think will give you the access you need to opentelemetrybot's forks (see screenshot below).

@open-telemetry/technical-committee what do you think about storing this new fine-grained PAT in an org secret scoped to only opentelemetry-operator repository, named OPENTELEMETRYBOT_OPERATOR_FORKS_GITHUB_TOKEN.

image

trask avatar Jul 01 '23 16:07 trask

@open-telemetry/technical-committee what do you think about storing this new fine-grained PAT in an org secret scoped to only opentelemetry-operator repository, named OPENTELEMETRYBOT_OPERATOR_FORKS_GITHUB_TOKEN.

@arminru what do you think?

trask avatar Jul 06 '23 00:07 trask

@open-telemetry/technical-committee what do you think about storing this new fine-grained PAT in an org secret scoped to only opentelemetry-operator repository, named OPENTELEMETRYBOT_OPERATOR_FORKS_GITHUB_TOKEN.

@arminru what do you think?

@trask +1 on using the fine-grained tokens scoped to individual repos instead of the org-wide OTel Bot token. I'll reach out to you directly to set it up.

arminru avatar Jul 06 '23 14:07 arminru

@arminru and I discussed on slack and agreed for now at least that we would share repo-specific tokens directly with maintainers of those repos instead of adding them as repo-scoped org secrets

@pavolloffay I'll send you a one-time link for the PAT that can be used for the above operator workflows

trask avatar Jul 06 '23 15:07 trask

@trask In OTel Python we only use OPENTELMETRYBOT_GITHUB_TOKEN for our release process (you commited the .yml files yourself). We made a change to use OPENTELMETRYBOT_GITHUB_TOKEN afterwards.

ocelotl avatar Jul 27 '23 15:07 ocelotl

In Pyhton we only use this token in our release process to create release PRs. We should be ok :+1:

ocelotl avatar Jul 27 '23 16:07 ocelotl