Runs this regularly on a server?

Question

Runs this regularly on a server?

Closed this issue 10 years ago · 4 comments

Hey,

great tool you built here, thanks for opening it up.

I was wondering: when do the checks run? Is it regularly via some internal scheduling, triggered by a cron or only when a user logs in? From reading code I think it's the later only, correct? How do you run this at the Guardian?

My ideal case here would be to run this on a server (with an access token of a user who's in the bots group).

Answer 1 · 2014-11-07T17:28:49.000Z

great tool you built here, thanks for opening it up.

Thanks!

when do the checks run?

Only when the https://gu-who.herokuapp.com/audit/[org-name] point is hit - which requires authentication, either by you logging in via GitHub or by hitting it with the appropriate headers:

curl -X POST -H "Csrf-Token: nocheck" -H "Authorization: token {{ YOUR_GITHUB_API_KEY }}" https://gu-who.herokuapp.com/audit/[org-name]

At the Guardian, I just have a cron job that hits that url - pretty low-tech! It would be nice to let users schedule repeat scans, but Heroku servers get spontaneously killed, gu:who currently has no storage other than GitHub itself, and in any case I didn't really want to have to store other peoples credentials. The credential has to be an 'Owner' account, with full permissions, so it's a very sensitive one to hold - gu:who does not retain it after your request.

Answer 2 · 2014-11-07T17:44:00.000Z

At the Guardian, I just have a cron job that hits that url - pretty low-tech!

And I reckon that cron job runs from your local machine then?

Might also make sense to document this workflow in the Readme, since I imagine it to be a common question?

The credential has to be an 'Owner' account, with full permissions, so it's a very sensitive one to hold - gu:who does not retain it after your request.

Yeah, the repo and write:org credentials are sensitive. On the other hand I'd trust these to be secure if I'd be running it within our own infrastructure (and not on heroku).

Answer 3 · 2014-12-03T23:12:11.000Z

when do the checks run? Is it regularly via some internal scheduling, triggered by a cron or only when a user logs in? From reading code I think it's the later only, correct?

Just to follow up on this, now that GitHub has organisation webhooks, we can just trigger gu:who using them - the need for a cron job is much pretty much gone:

42c872c

Set the org webhook to hit something like:

https://gu-who.herokuapp.com/audit/guardian?access_token={{ YOUR_GITHUB_API_KEY }}

Answer 4 · 2019-04-07T03:01:31.000Z

Seems the webhook is now broken. Just tried deploying gu-who on Heroku and got this error:

Caused by: java.lang.IllegalArgumentException: requirement failed