Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a GitHub app for nixpkgs-vet releases #26

Open
infinisil opened this issue Aug 30, 2024 · 7 comments
Open

Create a GitHub app for nixpkgs-vet releases #26

infinisil opened this issue Aug 30, 2024 · 7 comments
Assignees

Comments

@infinisil
Copy link
Member

Also asked on Matrix:

I need a GitHub App to create releases for nixpkgs-vet (formerly nixpkgs-check-by-name), see here for more context.

Instructions:

  • Create new App (direct link) with permissions Repository->Content->Read/Write, name can be "Nixpkgs-vet releases"
  • Install the App on the org, give it access to only https://github.com/nixos/nixpkgs-vet
  • Set the App ID as a new repository variable (direct link) named RELEASES_APP_ID
  • Generate a private key for the App and set it as a new repository secret (direct link) named RELEASES_PRIVATE_KEY

I will then be able to use this GitHub Action to get ephemeral GitHub App installation tokens for CI

@zimbatm
Copy link
Member

zimbatm commented Nov 30, 2024

@infinisil do you still need this?

@JohnRTitor
Copy link

Instead of having multiple apps for multiple things, I think it would be better to create a common app which will be used for multiple purposes. ie, for CI in Nixpkgs, nix-owners, nix-backports can be squashed into a single nixpkgs-ci / nix-ci bot

@roberth
Copy link
Member

roberth commented Dec 4, 2024

Might be better for security this way.
Should become easy to manage with #40
Apps can be assigned users to manage them on a per-app basis. This may be useful when you're using actual GitHub Apps features and not just a token to feed back into GitHub Actions.

@infinisil
Copy link
Member Author

@JohnRTitor Problem is that each app needs different permissions, and they shouldn't have more permissions than necessary:

  • nix-owners: Needs Nixpkgs PR write permission
  • nix-backports: Needs no permissions
  • nixpkgs-vet: Needs nixpkgs-vet content write permission

@infinisil
Copy link
Member Author

@infinisil do you still need this?

Not urgently, it's a very low priority thing, but it would be nice, not even just due to more automation, but to also try out this automation concept.

@winterqt
Copy link
Member

winterqt commented Dec 4, 2024

nix-backports: Needs no permissions

This needs Nixpkgs PR write and repo write.

@infinisil
Copy link
Member Author

Oh right, I should know because I requested it in #38 😆

We can probably indeed unify some use cases in the same bot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants