Support multiple organizations with GitHub App Auth
Closed this issue ยท 8 comments
Hello,
I work at an enterprise that divided it's repositories over multiple organizations in GitHub. We prefer to use this tool with the GitHub App Auth authentication over PAT (private access token) .
Currently with a PAT that has been authorized on all your organizations, you can already run the getOrgs.js script and set GHAS features over multiple organizations with a single run of getRepos.js and enable.js. We would like similar functionality when using GitHub app authentication.
When you use GitHub App authentication this feature is currently not available, because the tool fetches a token for one specific APP_INSTALLATION_ID/organization.
Expected:
Given that the GITHUB_ENTERPRISE and no GITHUB_ORG has been set in the environment.
- The tool authenticates using the APP_ID and the APP_PRIVATE_KEY.
- The tool fetches information about the Organizations where the GitHub App has been installed.
- The tool loops over those organizations (I believe acquiring some kind of token for each one of them) and lists all relevant repos and applies changes to them.
Not expected:
- Filtering organizations is not a requirement for us, because we can already "suspend" a GitHub app installation in the UI if we want to temporarily not use this tool on a certain organization.
Kind regards,
Jors
Hey @jorsmatthys ๐
So I am trying to figure out how this is going to work ๐ค
Would the github app not have to be installed on every org beforehand? And every github app would have its own App ID and App Private Key ๐ค
I have done some digging and can't seem to have an app installed across multiple organisations easily ๐ข
If there was an idea of an enterprise app, that would be amazing! but I don't think there is one ๐ข
Keen to get your thoughts.
Hello :)
Apps that we host ourselves, we configure them under only one organisation, and then we can easily install them to all other organisations. So there is only one App ID and one App Private Key in that case.
To make the install buttons for the other organisations visible you have to however go to the advanced settings of the GitHub app and click on "Make this GitHub app public". (had to look for that a while as well)
So the app configuration doesn't live under the enterprise level, but it is available to the enterprise. We chose to configure the app under the organisation where we have a copy of the source code in a repo, so it isn't completely random.
@jorsmatthys ๐ just to make sure something, are you on GHES? (enterprise server)?
The problem with making this public on GHEC is anyone is able to install the app on their github instance I think. So it wouldn't be scoped to every org within your enterprise, it would be literally EVERY org in the whole of github.com ๐
I think this would work though for GHES. If you could confirm that, that would be great ๐
Hmmz thanks for the info, interesting point you make. ๐
We are on GHEC and in our case, the public page of our app does not appear to be visible outside our enterprise. I just tried to access it while being logged in with my personal user, and I get a not found. But that could be because of other settings at the enterprise level (nothing in our enterprise is made completely public).
Since the public page urls are like: https://github.com/apps/app-name that also should have given away that it is not meant to be enterprise scoped (but I didn't need the url so didn't pay attention to it).
I can't test on GHES personally.
@NickLiffen It seems like a hassle to have to configure multiple keys indeed, for me this can be closed for now but I leave it up to you :) I feel like a feature should be there to expose Apps internally. If I find a request for that which is still open, I will join the call. Thanks for pointing out my misconception.
HEy @jorsmatthys ๐
this is 100% not your misconception at all ๐ this is great feedback. I think, for now, getting this working is going to be quite complex. I chatted to a few internal people and I think the solution is to wait and see what comes this year to help solve this ๐ I will close this out for now, however, I will do some digging and once something becomes available, I will get around to this ๐
@jorsmatthys We had a similar challenge. I think I got this working in a way that meets your needs as well. I grabbed the installation IDs for each Org that our App was installed on and added them to a matrix in a workflow file. A job is created for each Org/App Installation ID
name: "Enable GHAS"
on:
push:
branches: [main, master]
# schedule:
# - cron: "5 16 * * 1"
env:
APP_ID: xxx
APP_CLIENT_ID: xxx
APP_CLIENT_SECRET: ${{ secrets.GHAS_ENABLEMENT_APP_CLIENT_SECRET }}
APP_PRIVATE_KEY: ${{ secrets.GHAS_ENABLEMENT_APP_PRIVATE_KEY }}
# APP_INSTALLATION_ID: <Set in matrix>
# -or-
# GITHUB_API_TOKEN= ${{ secrets.GHAS_ENABLEMENT_PAT }}
GITHUB_ENTERPRISE: "xxx"
ENABLE_ON: "secretscanning,dependabot"
DEBUG: "ghas:*"
CREATE_ISSUE: "false"
GHES: "false"
jobs:
enable-ghas:
runs-on: ubuntu-latest
strategy:
matrix:
app_install_id: [<idA>, <idB>, ...]
env:
APP_INSTALLATION_ID: ${{ matrix.app_install_id }}
steps:
- uses: actions/checkout@v2
- name: Get dependencies and configure
run: |
yarn
yarn getRepos
- name: Enable security on organization
run: |
npm run startHi @ajilty Thanks for the reply/example :) that is indeed a nice solution and it is what we ended up doing as well, we made a matrix that uses a list of organization details and a list of languages and runs the tool for every combination.