community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

REQUEST: Repository maintenance on opentelemetry-js-contrib

Open pichlermarc opened this issue 1 year ago • 2 comments

Affected Repository

https://github.com/open-telemetry/opentelemetry-js-contrib

Requested changes

  • Give write permissions to @opentelemetrybot
  • Create a fine-grained PAT for @opentelemetrybot to create PRs and Releases on the https://github.com/open-telemetry/opentelemetry-js-contrib repository
    • I'm not sure if stating the required scopes should be public, feel free to reach out to me on the CNCF slack to discuss details.

Purpose

We currently have a workflow that's creating release PRs and releases via the release-please-action and predates the creation of the @opentelemetrybot account. We'd prefer switching to using the bot account so that PRs and releases authored by the automation be properly identified as such.

Expected Duration

permantenly

Repository Maintainers

  • @open-telemetry/javascript-maintainers

pichlermarc avatar Nov 21 '23 15:11 pichlermarc

cc @open-telemetry/technical-committee

trask avatar Jan 02 '24 23:01 trask

Thanks for the ping @trask. Based on this doc, it seems like all that is needed for the @open-telemetry/javascript-maintainers to use @opentelemetrybot to create PRs and releases is to grant the opentelemetry-js-contrib repo access to the OPENTELEMETRYBOT_GITHUB_TOKEN.

However, @pichlermarc requests granting additional permissions to @opentelemetrybot and creating a fine-grained PAT. Why the need for the additional permissions and the separate fine-graned PAT?

jack-berg avatar Jan 02 '24 23:01 jack-berg

Why the need for the additional permissions and the separate fine-graned PAT?

Sorry for the (very) late reply. :fearful:

We were planning to continue using the https://github.com/google-github-actions/release-please-action, which automatically creates a release PR and the releases in GitHub.

In order for @opentelemetrybot to create these releases, I was under the impression that bot user would need write access for releases in the repository. Due to that additional access, I saw using a fine-grained PAT (scoped to the js-core repo only) as the more secure option.

However, reading https://github.com/open-telemetry/community/issues/1549#issuecomment-1653877770 and the python SIGs release workflow, it looks like we might actually be able to do this without giving the bot additional access. We'll likely be able to use the OPENTELEMETRYBOT_GITHUB_TOKEN to create the release PR, and then the usual GITHUB_TOKEN to create the release.

Let's try with just access to OPENTELEMETRYBOT_GITHUB_TOKEN first. I think you're right @jack-berg, just using that should work fine :slightly_smiling_face:

pichlermarc avatar Mar 05 '24 09:03 pichlermarc

Ok @pichlermarc - I'm sorry for my late reply as well. I'm going to go ahead and close this because it looks like we can get away with using OPENTELEMETRYBOT_GITHUB_TOKEN. Happy to re-open if I'm misunderstanding.

jack-berg avatar Apr 19 '24 21:04 jack-berg