Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wire in GitHub App authentication for the commenter and update job flags #32806

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

tnozicka
Copy link
Contributor

This PR adds GitHub App authentication for commenter robot and unifies the flags and client building with prow machinery. Unfortunately, this requires changing the flag names (mostly prefixed by github-, so I've updated the jobs as well.

Resolves #32805

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 21, 2024
@k8s-ci-robot k8s-ci-robot added area/robots Issues or PRs related to code in /robots sig/contributor-experience Categorizes an issue or PR as relevant to SIG Contributor Experience. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Jun 21, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tnozicka
Once this PR has been reviewed and has the lgtm label, please assign cjwagner for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tnozicka
Copy link
Contributor Author

Here is a successful run with an image built from this PR using the GitHub App credentials
https://prow.scylla-operator.scylladb.com/view/gs/scylla-operator-prow/logs/ci-scylla-operator-triage-robot-stale-issues/1804094275261042688

@@ -70,10 +68,10 @@ func flagOptions() options {
flag.StringVar(&o.comment, "comment", "", "Append the following comment to matching issues")
flag.BoolVar(&o.useTemplate, "template", false, templateHelp)
flag.IntVar(&o.ceiling, "ceiling", 3, "Maximum number of issues to modify, 0 for infinite")
flag.Var(&o.endpoint, "endpoint", "GitHub's API endpoint")
flag.StringVar(&o.graphqlEndpoint, "graphql-endpoint", github.DefaultGraphQLEndpoint, "GitHub's GraphQL API Endpoint")
flag.StringVar(&o.token, "token", "", "Path to github token")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we keep these temporarily and backfill o.github.* items from them to avoid breaking existing users (outside of k8s)?

I'd prefer to do that and emit a warning about eventually (a month? two?) removing these options, to give folks at least a chance to notice and fixup their configs. With a reminder comment someone will eventually notice and remove the code after the date.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(as written this will also break kubernetes, unless quickly followed with a successful image upgrade ...)

Copy link
Contributor Author

@tnozicka tnozicka Jun 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've started by wiring the old flags, but some of the fields were private (in the new prow utils config). Let me give it a second try with some extra variables and syncing it back.

- --token=/etc/github-token/token
- --endpoint=http://ghproxy.default.svc.cluster.local
- --github-token=/etc/github-token/token
- --github-endpoint=http://ghproxy.default.svc.cluster.local
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this isn't a sufficiently safe way to make this change, as we're not running from source here, see the image above

log.Printf("Searching: %s", query)
issues, err := c.FindIssues(query, sort, asc)
issues, err := c.FindIssuesWithOrg(org, query, sort, asc)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I don't remember this. The need for the org arg could be avoided by extracting it from the query, it should always have one of org:foo or repo:foo/bar

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the JWT tokes signed for the GH app are signed only for the installation ID which is per org, the query doesn't really matter afaik, so you can only query a single org in a single job with GH apps

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The point is right now you have to specify the same org in both the query and the CLI arg, it would be a better UX if we extracted the org from the query so it doesn't have to be duplicated into the CLI arg.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It has crossed my mind but:
a) you have to parse the query
b) the org can be implied be any of the repo: specs with the full name using /
c) with a) and b) together it would become complex and not intuitive (the error message can't just say use a single org: because of b) )

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think its very complex, you just have to extract all org: and repo: blocks and for the repo: blocks then extract the org. If overall you get exactly one org, use that. If not, error out mentioning that you got too many or none. This could also be directly in the github client method to get rid of the mandatory org arg.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this should be coupled to the GitHub search query syntax that can change over time. We'd always have to keep up. There is also set logic that you have to account for, like is:issue team:kubernetes/sig-testing -org:kubernetes-sigs

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 24, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle rotten
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 24, 2024
@tnozicka
Copy link
Contributor Author

/remove-lifecycle rotten

I am planning to get back to this in the coming weeks, apologies for the delay.

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/robots Issues or PRs related to code in /robots cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/contributor-experience Categorizes an issue or PR as relevant to SIG Contributor Experience. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add GitHub AppID and key authentication to commenter bot
6 participants