scala-steward icon indicating copy to clipboard operation
scala-steward copied to clipboard

Published 20 hours ago verified publisher icon scala-steward-org

Add github-app-auth-only to scala-steward CLI

Open alexklibisz opened this issue 2 years ago • 10 comments

Branching off of this discussion: https://github.com/scala-steward-org/scala-steward/discussions/2822

I would like to port the github-app-auth-only flag and corresponding behavior from the scala-steward-action directly into scala-steward.

Is there any reason this would be a bad idea?

alexklibisz avatar Feb 12 '23 18:02 alexklibisz

I think one of the main reasons is because Scala Steward uses the askpass.sh to authenticate with forges (GitHub in this case). So it is something you should provide to Scala Steward from the environment (that's why it was possible to provide it on the action). It shouldn't be too hard though to retrieve an installation token on a Docker environment using the API (here are the docs).

alejandrohdezma avatar Feb 13 '23 10:02 alejandrohdezma

IIUC, scala-steward can already take Github app credentials and use them to list all repos available to the app. My thinking was that this change should just restrict that list to the intersection of (all repos available to the app) and (all repos in repos.md).

alexklibisz avatar Feb 13 '23 16:02 alexklibisz

But in that case the two inputs won't be doing the same thing. Scala-steward doesn't use the provided app/id/secret-key to authenticate GitHub calls (like creating a PR) but just for retrieving the list of repositories available to the App since askpass.sh is used as the source of authentication.

On the other hand the github-app-auth-only input on the action retrieves the installation token for a specific installation and uses that on askpass.sh so PRs (and any call made to the GitHub API) is done using GitHub App credentials.

alejandrohdezma avatar Feb 13 '23 17:02 alejandrohdezma

I think I'm starting to understand... It sounds like the Github app ID and key are actually only intended to be an alternative to repos.md. And you still have to provide a token regardless. If that's correct, I think I can probably make a PR to just clarify that in the docs. Right now, that's not obvious at all IMHO.

alexklibisz avatar Feb 20 '23 19:02 alexklibisz

I think I'm starting to understand... It sounds like the Github app ID and key are actually only intended to be an alternative to repos.md. And you still have to provide a token regardless.

Yeah, that is correct.

If that's correct, I think I can probably make a PR to just clarify that in the docs. Right now, that's not obvious at all IMHO.

That would be more than welcome 😊

alejandrohdezma avatar Feb 20 '23 19:02 alejandrohdezma

Help strings are now updated. Thanks for the quick review.

I think it still might make sense to add this --github-app-auth-only flag. Contrary to my initial understanding, the flag would do the following:

  1. Use the app credentials to call the Github API to get a token.
  2. Ignore the repos returned by the app credentials.
  3. Steward the repos in repos.md, using the token returned from step 1 instead of the token returned from git-ask-pass.

alexklibisz avatar Feb 23 '23 16:02 alexklibisz

I'm not so sure, this is something people could just add to their ask-pass.sh if they want/need the functionality. Having a way to "login" into GitHub different to any other forge could be misleading. @scala-steward-org/core WDYT?

alejandrohdezma avatar Feb 23 '23 16:02 alejandrohdezma

Having a way to "login" into GitHub different to any other forge could be misleading.

I agree with this.

Also, if a GitHub App API token can be retrieved before running Scala Steward in a separate program, that would keep Scala Steward simpler. Maybe it would also make more sense to move the GitHub App code we currently have into a separate program that calls the GitHub App API to create the repos.md that is then consumed by Scala Steward. All the GitHub App stuff (auth + repos) would then be handled in a separate program that runs before Scala Steward and prepares the askpass program and repos.md.

fthomas avatar Feb 26 '23 10:02 fthomas

All the GitHub App stuff (auth + repos) would then be handled in a separate program that runs before Scala Steward and prepares the askpass program and repos.md.

I agree that if we don't want to pull more github-specific logic into scala-steward, then the current logic for determining repos from a Github App probably makes more sense to be outside of core scala-steward. Maybe the official action is a good place for it. Whether it's worthwhile to rip it out at this point, is up to you.

I'm happy closing the issue now. I see where you're both coming from, and I think the updated CLI docs should help clarify this for other users.

alexklibisz avatar Mar 01 '23 16:03 alexklibisz

All the GitHub App stuff (auth + repos) would then be handled in a separate program that runs before Scala Steward and prepares the askpass program and repos.md.

I'm currently experimenting with this idea at https://github.com/scala-steward-org/scala-steward/compare/topic/gh-app-facade. The gist of that GitHub App facade is https://github.com/scala-steward-org/scala-steward/blob/e72ff420b1ffec529499845af67a8f8b82f42f33/modules/gh-app-facade/src/main/scala/org/scalasteward/ghappfacade/FacadeAlg.scala#L50-L78 which prepares a repos and askpass file before running Scala Steward for a GH app installation. Since the access token used in an askpass file is specific to an installation, Scala Steward is also able to work with private repositories.

fthomas avatar Dec 21 '23 13:12 fthomas