We have successfully integrated SonarQube into our build pipelines on Azure DevOps and have used a developer's account to generate a PAT for pull request decoration. The problem is now that the developer's account is posting comments across all our repos on different Pull Requests. It seems the alternative is to create a whole new user titled 'SonarQube' (or similar) in our Active Directory and generate a new PAT to do this, which seems overkill. Any alternative options would be appreciated.
Creating a separate identity that would belong to SonarQube is the only option. The identity posts the comments using the DevOps API where the PAT is the only identification of the identity.
Using a developer's account for PR decoration not only feels strange when reading the comments, but it is also fragile. When the developer leaves the company, their account will be terminated and suddenly, PR decoration will break and it may not be immediately clear why. Also, the developer could revoke the PAT at any time by mistake. In a larger organization, no single developer will have the right to comment on pull requests everywhere, so multiple developer accounts will be in use, which makes the configuration even more complex and fragile.
Related
At my company, we have a CLI which allows our customers to upload data to our backend solution. The CLI runs on PR changes within a job. Let's assume the uploaded data looks like this:
{
name: "John",
age: 20,
}
Once the upload is completed, I'd like to create a comment on the PR with to following body:
John is 20 years old.
I've found the following ways to do this:
GitHub App (a bot)
GitHub OAuth App
Personal Access Token
GITHUB_TOKEN
GitHub App
The GitHub App needs to do the following things:
Fetch the data via a user-specific API key
Create a comment
I already created a comment via a bot, but I have no clue how to fetch the data.
As far as my understanding goes, I'd like other users to be able to install this GitHub app from the marketplace to work out of the box. From the ProBot Docs I understand that the bot operates on a webhook basis. Meaning I need to subscribe to a 'job completed' event (not sure if that's the correct name but I think you get the idea) and then fetch the data via a user-specific API we are providing on our platform. However, I see no way for the user of our App to configure an API key (or any form of secret) so the bot can make authenticated requests to our endpoints.
I'd prefer to use GitHub App because the comment coming from the bot would have our company branding and also an indicator that this comment has been created by the integration.
OAuth App
I already tested this by using Postman, however, the comment looks like it's coming from a specific user. Therefore, it has no company branding and it's not clear that an integration created the comment. However, the great part is that we could integrate this with our application, so our backend could create the comment once the data is received.
What I like about this approach is that we also need to implement such a feature for GitLab, Azure, etc, and using OAuth likely scales well with the other providers in comparison to the GitHub app, which is GitHub-specific.
Personal Access Token
Works pretty much like the OAuth App, but instead of our backend creating the comment, the comment is created by the CLI (and the access token is passed into the CLI). However, I think this approach is a bit sketchy.
GITHUB_TOKEN
While I haven't tried this yet, I assume that the token has limited but sufficient permissions to create a comment. As of now, I don't know what the comment will look like, but I think we can rather safely pass this into the CLI to create the comment from there. Since the permissions are limited and the token is invalidated after the workflow I see limited risk for the user of our CLI (and services).
Edit: The comment is coming from the github-actions bot, which is not the branding we are looking for, but it's clear that the comment has been created by the integration.
Questions
What's the best way to accomplish what I am trying?
Is there any way I can make this work with GitHub Apps (aka bots)?
I have a scenario where a user with a valid Personal Access Token makes thousands of calls to create work items in Azure DevOps. I went through all the documentation but couldn't find anything. One can enable conditional access but that would not cover this. The rate-limits etc are all default and there is no option to control those. Is there a way to control the number of requests a valid user can make?
Is there a way to control the number of requests a valid user can make?
I am afraid there is no such way to do this at this moment.
In my personal opinion, this request is reasonable.
You could add your request for this feature on our UserVoice site (https://developercommunity.visualstudio.com/report?space=21&entry=suggestion), which is our main forum for product suggestions. Thank you for helping us build a better Azure DevOps.
I was "david.corbin#companyA.com" now I am "boogie.woogie#companyB.com". Both are AAD backed identities.
The goal is to change how I authenticate to Azure DevOps so that I have one consistent history without "fracturing" or "historical user".
I have tried (in a playpen environment) various items, but I always end up with there being two distinct identities.
In the past during migrations, Microsoft Support was able to alter identities, but I am looking for a solution that does not involve opening a bunch of support tickets.
Azure DevOps Change User Identity
I am afraid there is no such solution that you could resolve this issue by yourself.
If you have already add the new account boogie.xxxx#companyB.com in the organization, we could not map that old david.xxxx#companyA.com to their Azure AD identities.
That is because it will be treated as a new account and assigned a unique VSID when you add the account account boogie.xxxx#companyB.com to organization.
That is also the reason why you always end up with there being two distinct identities.
To resolve this issue, we need to contact the support team to map two account as one in the backend. You could submit the ticket on the Developer Community if you do not want open a support ticket. Or you could create a technical support ticket from Azure Portal if you have Azure support plans.
In this tutorial someone describes how to use the GitHub REST API to create comments in pullrequests using GitHub's personal access tokens.
Finally, there appears a comment with your personal github account and avatar.
In the example one can see such a command with the text Test it at [...].
Is there an option to comment as traviscibot, such that this travis icon will show up instead? I want the reader to be able to distinguish which commands were made by Travis and which were made by a human.
A possible work-around would be to create a new GitHub account, name it my-travis-1234567890, add this account to the repository, create a personal access token for this account and use the latter. But is there a way without creating a new GitHub account?
I am tasked to help automate the workflow related to automating a few tasks related to management of our organization account on GitHub. For example, add and remove users from the org, create new repos, add external collaborators etc. The requests for this actions will come from a system where a user fill in a form and this system will curl to the GitHub API after the request is reviewed and approved.
By reading the GitHub API documentation I can set up the curls for this, but I am unsure about authentication best practices. My first idea would be to create a user account specific for this use case, make it admin for the org, and create an OAuth token with scopes needed to be allowed to make this requests. However, it feels a bit too hacky to create an individual account for something that is not an individual, and then make it admin of the whole organization.
Is there a better way to approach this?