atlantis icon indicating copy to clipboard operation
atlantis copied to clipboard
verified publisher icon runatlantis

Q: Github App, required permissions

Open bongardino opened this issue 3 years ago • 7 comments

Documentation for using a Github App doesn't include what permissions are required for the App itself. Its a much different set of scopes than the Github user

Is there a configuration guide for this, or does anyone know what scopes / permissions are required for baseline Atlantis config for a repo via Github App? Bonus points if they support the PR approval workflow

also, thankyou!

bongardino avatar Feb 17 '22 19:02 bongardino

We also ran into this and it was a bit unclear ... we were missing the Organization level Members & Webhooks (may be unneeded but made it match the repo level) permissions and it wasn't setup by default when creating the app. We require the PR's approval for atlantis apply.

Is it possible that Organization level webhooks' permissions are not required?

Here are screenshots of what we have to make things work as expected:

Repository permissions Screen Shot 2022-02-28 at 3 52 39 PM

Organization permissions Screen Shot 2022-02-28 at 3 52 53 PM

User permissions Screen Shot 2022-02-28 at 3 52 58 PM

Subscribe to events Screen Shot 2022-02-28 at 3 53 04 PM

I hope this helps @bongardino and I agree there needs to be better documentation for the Github App config.

jeff-clearcover avatar Feb 28 '22 22:02 jeff-clearcover

@jeff-clearcover thanks for that config info. I am stuck simply getting the webhook yaml config to work. I'm not sure where in my repo atlantis.yaml config i should place that block. I've tried putting it within the project or at top or within a workflow and getting various errors. Even tried to do it on the server side config yaml with no luck. How does it actually look in relation to working atlantis.yaml repo config is basically my question.

kangman avatar Mar 02 '22 15:03 kangman

@jeff-clearcover thanks! this is useful - we ended up with a similar set of repo permissions / webhook settings. No User or Org permissions were needed, and we require approval and mergable. Do you know what required R/W for Contents in your setup?

Sharing for posterity.

repo_permissions webhook

Actions RO is also not required, we're just testing something.

bongardino avatar Mar 02 '22 17:03 bongardino

@bongardino can i posit my question to you as well, i'm a bit confused as to where the webhook config should be placed in my repo atlantis.yaml config. I see the documentation here.

config snippet

webhooks:
- event: apply
  workspace-regex: .*
  kind: slack
  channel: my-channel

but i've tried to place in my repo's atlantis.yaml file

version: 3
automerge: true
delete_source_branch_on_merge: true
projects:
  - name: test1
    dir: .
    workspace: default
    workflow: dev-wf
  - name: test2
    dir: 
    workspace: default
    delete_source_branch_on_merge: true
    autoplan:
      when_modified: ["*.tf", "*.tfvars"]
      enabled: true
    apply_requirements: [mergeable, approved]
    workflow: stage-wf
webhooks:
- event: apply
  workspace-regex: .*
  kind: slack
  channel: my-channel
workflows:
  dev-wf:
    plan:
      steps:
        - init
        - plan

kangman avatar Mar 02 '22 17:03 kangman

@kangman sorry! haven't tried webhooks yet, and it looks like you already found the PR page for the docs so I've got nothing useful 🤷‍♂️

bongardino avatar Mar 02 '22 19:03 bongardino

I'm in the same boat, webhooks does not seem to work

rafi-fisker avatar Mar 14 '22 18:03 rafi-fisker

FWIW I also had trouble with this. I was able to get pr comments triggering atlantis, but not commits (autoplan). Here is what I ended up with which finally got autoplan working:

image

npwolf avatar Apr 10 '24 21:04 npwolf