Support remote policy files in private repositories

[NargiT]

Hello,

I would like to know why the remote policy configuration has to be full public. We would like to use it with a github entreprise on premise version where everything is private.

Since policy bot is installed on the organization level, I do not see any blocker to also allow the remote configuration policy to be access privately (using token).

Thx in advance for clarification, I can help to provide this feature.

[bluekeyes]

When you say that "everything is private" do you mean that your GitHub Enterprise instance is in private mode (you must authenticate to see any content) or that all repositories are private (even if you are authenticated, you can only see repositories where you have permission)?

If you are using "private mode", Policy Bot will work fine with remote policies; this is how we run it internally.

If you are using actual private repositories, I believe Policy Bot already supports reading from private repositories in the same organization. I haven't tested this, but the code uses an authenticated organization client when fetching configuration. This requires that the app is enabled for the target repository (or for all repositories in the organization.)

Private repositories in other organizations are not supported. While we could support this if Policy Bot is installed on the target organization, it makes the code more complicated and I'm not sure it is required.

[NargiT]

we use it in "private mode" and with "private permission". But we are working in multiple organizations and policy bot is already installed in all of them. This feature is already supported by "has_contributor_in:" that why I though it would not be a problem for remote policy.

In our case we have multiple organizations because we manage a lot of thing automatically and we do not want to mix "developer friendly" repo vs "robot friendly" repo.

Do you think it would be possible to integrate this feature?

[NargiT]

Little clarification: https://github.com/palantir/policy-bot#remote-policy-configuration I am talking about this case

If you are using "private mode", Policy Bot will work fine with remote policies; this is how we run it internally.

Maybe another permission is required ? Is there a way to run policy bot in verbose/debug mode to see this kind of errors ?

[bluekeyes]

If I understand your setup correctly, you are also using private repositories and in this case, remote policies will only work if the remote policy is in a private repository in the same organization as the repository referencing the policy. I think the errors you are seeing (when referencing a policy in a different organization) are expected, but you can set the logging level to debug in the server configuration to enable additional logging.

While it's definitely possible to refactor the code so that the correct organization client is used when fetching policies, I don't think we'll implement this in the near future given other priorities. But we're happy to review PRs if you'd like to try adding it yourself.