Expected behavior when using a github application

[alexklibisz]

Hi, I'm trying to understand the expected behavior when using a Github application (github-app-id, github-app-key-file).

Here's what I've observed on an internal enterprise GH deployment: when I use the github-app-id and github-app-key-file, Scala Steward will attempt to run on all repos that are visible to the application, not just the repos in the repos.md file.

That seems to line up with my reading of these lines: runF calls getGithubAppRepos and readRepos and concatenates the results.

I would have expected it to run on only the repos that are 1) accessible to the app, and 2) in the repos.md file. Instead it appears to be an or.

I also would have expected that by using the github app, we don't need a token, but that also does not seem to be the case.

Combined, I would have expected that there's a way to use an app, without a token, and only steward the repos in the repos.md file.

Am I understanding the behavior correctly? Is there any way to get the behavior I described above.

Thanks for all the contributors' awesome work on this project.

[laughedelic]

I think this belongs in the https://github.com/scala-steward-org/scala-steward-action repo. A few relevant things have changed/improved there recently, so check the updated docs. In short:

• it can generate the token now
• by default it will list the repo from the app installation, but
  • there is a new github-app-auth-only: true setting which turns that off, so then you can use repos-file to point to your repos list file

[alejandrohdezma]

😓 Sorry @alexklibisz, I totally missed this when you created it. And thanks @laughedelic for the response!

And yeah @alexklibisz, your assumptions are correct regarding Scala Steward as a runnable App. When you provide the GitHub App Id/Private-key it only uses that to "add" more repos to the list of updatable repositories (along with the ones in repos.md).

Regarding the token, take into account that GitHub App tokens are generated per-installation, and that these tokens only last for an hour, so if you have many repositories it may not be available for some of them. If this is your case, and you use GitHub Actions, you can use the same approach I follow for my own personal repositories, using a matrix to run Scala Steward for each repository independently. Because of how the action is written, each job will have its own Scala Steward cache, so subsequent runs will have the same benefits of running a single instance. Here is an example of this approach:

name: Run Scala Steward on the managed repositories

on:
  schedule:
    - cron: "0 5 1,15 * *"

jobs:
  get-repositories:
    name: Select repositories to update
    runs-on: ubuntu-latest
    outputs:
      repositories: ${{ steps.repositories.outputs.repositories }}
    steps:
      - name: Generate token
        id: github_app
        uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # v1.7.0
        with:
          app_id: ${{ secrets.APP_ID }}
          installation_id: ${{ secrets.APP_INSTALLATION_ID }}
          private_key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Select repositories to update
        id: repositories
        run: echo "repositories=$(gh api installation/repositories -q '.repositories | map(.full_name)')" >> $GITHUB_OUTPUT
        env:
          GITHUB_TOKEN: ${{ steps.github_app.outputs.token }}

  run-scala-steward-single-repository:
    name: ${{ matrix.repo }} - Dependency update
    runs-on: ubuntu-latest
    needs: get-repositories
    strategy:
      fail-fast: false
      matrix:
        repo: ${{ fromJson(needs.get-repositories.outputs.repositories) }}
    steps:
      - name: Launch Scala Steward on ${{ matrix.repo }}
        uses: scala-steward-org/scala-steward-action@a84768fa6bdd47c92d9c965003247647467b4dbb # v2.45.0
        with:
          github-repository: ${{ matrix.repo }}
          github-app-auth-only: "true"
          github-app-id: ${{ secrets.APP_ID }}
          github-app-installation-id: ${{ secrets.APP_INSTALLATION_ID }}
          github-app-key: ${{ secrets.APP_PRIVATE_KEY }}

[alexklibisz]

Since posting the question, I've switched over to token-based authentication. That was simpler to setup and maintain, but I might switch back to app-based at some point.

Indeed the github-repository and github-app-auth-only: "true" settings solve this problem nicely for the scala-steward-action. However, I am not using the official action on the project in question, so it would be great for this github-app-auth-only behavior to be available directly on the scala-steward application.

More generally, not everyone is running scala-steward on Github actions. It's published as a Docker container, so you can technically run it wherever you want (another CI platform, Kubernetes Cronjob, etc.).

Would it be particularly difficult to replicate the github-app-auth-only behavior in scala-steward directly? It seems like it could be pretty simple: add that parameter to the CLI, thread it through to the runF method.

Was there a strong reason that this was implemented in the scala-steward-action, and not in scala-steward directly?

[alexklibisz]

Here's the comment where the Github App behavior finally became clear to me: #2973 (comment)

I think I'm starting to understand... It sounds like the Github app ID and key are actually only intended to be an alternative to repos.md. And you still have to provide a token regardless.