Skip to content
This repository has been archived by the owner on Feb 14, 2019. It is now read-only.

add Github token to codebuild project env variables #37

Open
vincentsarago opened this issue Mar 20, 2018 · 1 comment
Open

add Github token to codebuild project env variables #37

vincentsarago opened this issue Mar 20, 2018 · 1 comment
Labels
question

Comments

@vincentsarago
Copy link
Contributor

Right now we only pass the NPM_ACCESS_TOKEN variable in the codebuild project to be able to install nodejs package from public and private repo.

stork/lambda.js

Line 124 in b6d8990

{ name: 'NPM_ACCESS_TOKEN', value: options.npmToken }

When it comes to Python sadly there is not such private and public packages, to overcome this we can use private GitHub repo (pip3 install git+https://$GITHUB_ACCESS_TOKEN:[email protected]/blaabla/blabla.git), but to be able to do so within the codebuild project we need to have access to the GITHUB_ACCESS_TOKEN.

@rclark Do you think we could add this variable into the project ?
@rclark
Copy link
Contributor

rclark commented Mar 26, 2018

tl;dr Stork has a Github authentication rats nest that needs to get unraveled before we can think clearly about adding more github-access-functionality to the project. I don't really know what direction to take to clean this up, but I don't feel ok with exposing the Github token provided as a stack parameter to the CodeBuild projects at runtime.

Too many ways into Github

stork/cloudformation/stork.template.js

Lines 8 to 11 in b6d8990

GithubAppId: { Type: 'String', Description: 'Your Github app ID' },
GithubAppInstallationId: { Type: 'String', Description: 'The installation ID of your Github app' },
GithubAppPrivateKey: { Type: 'String', Description: '[secure] A private key for your Github app' },
GithubAccessToken: { Type: 'String', Description: '[secure] A personal access token that can update Github Apps' },

Github App

GithubApp* parameters allow you to safely provide stork with the details of a GithubApp. An app is easier for security teams to monitor and track than a machine user's personal access token.

The app credentials get used:

stork/lambda.js

Line 458 in b6d8990

githubToken(appId, installationId, privateKey),

... to set CI status on Github PRs

stork/lambda.js

Line 366 in b6d8990

return githubToken(appId, installationId, privateKey)

... and to look for .stork.json and .buildspec.yml files in the github repo that's being built.

The Github app integration also sends webhook payloads to a stork stack whenever one of the repositories that it is watching gets a commit.

Personal token

Github Apps have a list of repositories that they watch. It turns out that a user cannot add or remove repositories from that list unless they use a personal access token, and that token must have admin-level permission to the entire github organization.

stork/lambda.js

Line 593 in b6d8990

const token = process.env.GITHUB_ACCESS_TOKEN;

Stork's "gatekeeper" lambda function is a workaround this Github limitation. By authenticating themselves via AWS and being able to invoke the Lambda function, any person can add add/remove a repository to be watched / built by stork.

OAuth

stork/lambda.js

Line 111 in b6d8990

auth: { type: 'OAUTH' }

The CodeBuild projects stork creates assume that you've set up the AWS OAuth application to have access to your repositories.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rclark @vincentsarago