Request nodejs admins for an API key for the nodejs bot in Travis #670
Comments
|
@nodejs/github-bot thoughts? |
|
Note that @nodejs-github-bot would also need to fork https://github.com/docker-library/official-images |
|
Tagging @nodejs/automation-admins in case nobody gets bots notifications |
|
Sounds like a good fit for automation 👍 I'm not too familiar with this repo and what's needed, so I'd appreciate some more details.. Other than an API token to be created and provided to the bot, we need some changes in nodejs/github-bot for the following things I assume?
Does this sound reasonable or have I misunderstood? |
|
Close, When the docker-node team merges a PR and the Travis CI build passed, we need to GitHub Bot to create a PR to the Docker Official Images repo to received the update. This is the script that makes this possible: https://github.com/nodejs/docker-node/pull/672/files#diff-ec6b54754912d037a072bdf42d0885ea The only two things for this script to work is for a Node Bot account to have a fork of the Docker Official Images repor and for Travis CI to have a token for that BOT to allow the bot to create a commit and then open a PR to the upstream repo. One thing to point out is that the admin of this repo don't actually need to know the token, it just needs to be added by a Node JS Admin on our Travis CI repo and it will be encrypted https://docs.travis-ci.com/user/environment-variables/#Defining-Variables-in-Repository-Settings |
No problem forking and cloning that upstream repo onto the server that the bot is running on currently. With that the bot can commit and push changes to github.com as is, it already has a GitHub API token used to push inline PR status to this repo, labels to PRs in nodejs/node etc. Or is there something special needed here that needs another token? |
|
It can be the same token if the automation prefer. In another project I used different tokens for different use case to avoid one script affecting another one but it's not essential. |
|
@phillipj BTW, you wouldn't need to clone it on your server. All the work would be done on Travis. |
|
Ahh okey, I got confused when you said the bot would need to fork the repo then. I haven't used Travis like this before, so please excuse my noob questions.. Since Travis would be responsible for cloning and I also assume committing, what would the bot actually need to do here? Sounds like Travis would do all the work? |
|
@phillipj the bot still needs to fork to get the commits and pull request. We need the bot for its credentials. Travis doesn't have access to push or create pull requests. The script would go like this: clone its repo on travis, make a commit, push that commit to github, create a pr upstream using the api. Travis need the token for the push and the api call. |
|
It's also worth noting that when a secured variable is created using the UI, it can't be recovered anymore which is great for security. |
Still not clear to me where the bot comes in here. Are all those steps performed by Travis? If not, please list those steps you mentioned above with who's responsible for executing them; Travis or nodejs-bot. Or is the only thing needed a GitHub token created from the nodejs-bot account, for Travis to use when communicating with github.com? |
|
When seeing #672 I just realised I might have misunderstood what you've meant by "bot" completely, as those changes seem to be doing everything in Travis? As long as that script gets a token provided, it's satisfied, right? In other words, the Node.js process / express.js server we're running on one of our servers that performs actions like adding PR labels etc based on GitHub webhook events, will not be involved at all? |
|
Correct! |
|
Awesome, thanks and sorry for the confusion! That PR references the GitHub username nodejs-docker-bot which already has the upstream repo forked. Is that a temporary GitHub username that we do want to replace with nodejs-github-bot instead? |
|
Hmmm i would be ok with merging the two. I don't think we need our dedicated bot. |
|
Sounds reasonable 👍 I just forked the upstream repo: nodejs-github-bot/official-images. Also created a personal access token from the bot account and pushed to our secrets repo. Think @joyeecheung is an nodejs org admin, maybe he could help create that |
|
@phillipj I don't have the access to the nodejs Travis account, and I could not find the anything related in the secrets repo, and since we do not allow travis to access our organization, I cannot authorize Travis accordingly so that I can access the project from my Travis account. My guess is @Fishrock123 or @rvagg might have an idea about how to change the Travis settings under the nodejs account? Or now that we have moved our sensitive repos to nodejs-private (there is still the moderation repo though), we can now just open access to Travis anyway (need consensus from TSC of course)? I am a she by the way. |
|
@joyeecheung travis.org can authenticate you via github and ises your github permissions to determine ifbyou can access these settings |
|
https://docs.travis-ci.com/user/encryption-keys/#Encryption-scheme
... thar ya go |
|
@LaurentGoderre We do not allow Travis (or any other third-party service) to read the nodejs organization via the admin's personal Github account at the moment (i.e. I should not click any button on travis.org that authenticates travis to access anything under this organization, then travis would not know that I am an admin of this org, hence I cannot change the travis setting), so it's not that we cannot perform the action, it's just that our existing policy does not allow it. Can you try the method provided by @rvagg ? |
Sorry about that, I should have mentioned it was part of a pending PR that just got merged. |
|
@rvagg Travis secure token are per repo. Can you try running this instead? |
|
doh, sorry, I knew that but forgot where I was! |
|
Thanks @rvagg that did it! Thanks all involved! |
I think it would be fairly easy to automatically create a PR to the official images repo as a build stage on merge commits. All would be required would be for an admin to add a private variable called
GITHUB_API_TOKENto our Travis setup and add a token from the @nodejs-github-bot user with only read access. The user could then rungenerate-stackbrew-libraryand open a PR to the official images repoThe text was updated successfully, but these errors were encountered: