From f4939ce0041e31219560737b5f851ba9990212d5 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 10 Sep 2024 11:47:47 +0100 Subject: [PATCH] docs: Add info about secrets and GitHub apps --- docs/usage/github-organisation-management.md | 10 ++++++++++ docs/usage/secrets.md | 14 ++++++++++++++ mkdocs.yml | 1 + 3 files changed, 25 insertions(+) create mode 100644 docs/usage/secrets.md diff --git a/docs/usage/github-organisation-management.md b/docs/usage/github-organisation-management.md index 80e36b58..efec32e0 100644 --- a/docs/usage/github-organisation-management.md +++ b/docs/usage/github-organisation-management.md @@ -12,6 +12,8 @@ It is expected that all `plans` and `applies` are carried out within GitHub Acti Access to Terraform Cloud is limited due to team size restrictions if you need access to Terraform Cloud and don't have access already then feel free to request access in the appropriate Slack channel. +GitHub authentication is handled using a GitHub app. + ## Making Changes In this section we shall look at how you may modify the Terraform configuration to suit your needs and requirements. @@ -181,3 +183,11 @@ Run the script to rename the repository. Note that this will directly update the ``` Create a PR for the changes. + +## StackHPC Release Train TF bot + +GitHub authentication is handled using the [StackHPC Release Train TF bot App](https://github.com/organizations/stackhpc/settings/apps/stackhpc-release-train-tf-bot). +This app has a private key that is registered as a [GitHub secret](secrets.md). +The app is [installed](https://github.com/organizations/stackhpc/settings/installations/27194723) on the `stackhpc` organisation, with access to all repositories. +It has only the necessary permissions, but these are rather broad. +GitHub apps are documented [here](https://docs.github.com/en/apps/overview). diff --git a/docs/usage/secrets.md b/docs/usage/secrets.md new file mode 100644 index 00000000..a1dd0a0f --- /dev/null +++ b/docs/usage/secrets.md @@ -0,0 +1,14 @@ +# Secrets + +Various [GitHub Actions secrets](https://github.com/stackhpc/stackhpc-release-train/settings/secrets/actions) are used within StackHPC Release Train for integrating with external services. +All secrets are scoped to the StackHPC Release Train repository unless stated otherwise. + +| Secret | Type | Owner | Description | +| -------------------------------- | ------------------------- | ----------------------- | --------------------------------------------------------------------------------------------------- | +| `ANSIBLE_VAULT_PASSWORD` | Ansible vault password | N/A | Ansible Vault password for StackHPC Release Train secrets. +| `GALAXY_API_KEY` | Ansible Galaxy API token | stackhpc-ci GitHub user | Organisation secret used for importing Ansible content into Ansible Galaxy. | +| `repository_configuration_token` | GitHub PAT token | stackhpc-ci GitHub user | Used in [source code CI](source-code-ci.md) to create GitHub pull requests. | +| | | | Used in [GitHub organisation management](github-organisation-management.md) to add comments to PRs. | +| `SLACK_WEBHOOK_URL` | Slack webhook URL | Infra team leads | Used to send Slack notifications on GitHub Actions workflow failures. | +| `TF_API_TOKEN` | Terraform Cloud API token | Jack | Used in GitHub organisation management to authenticate with Terraform cloud. | +| `TF_VAR_GITHUB_APP_PEM_FILE` | GitHub app PEM file | GitHub org admins | Used in GitHub organisation management to authorise Terraform to manage GitHub repositories. | diff --git a/mkdocs.yml b/mkdocs.yml index e9fd6ca3..8d4fcc99 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -26,6 +26,7 @@ nav: Access control: usage/access.md Source code CI: usage/source-code-ci.md GitHub Organisation Management: usage/github-organisation-management.md + Secrets: usage/secrets.md - Operations: Ark: operations/ark.md Test Pulp: operations/test-pulp.md