At the end of the day, I'm trying to implement the solution linked from here: Reuse Github Actions self hosted runner on multiple repositories. But the tutorials walk you though setting up a GitHub app in the UI, and I'm trying to do it via the API.
Context:
Creating a new "GitHub App" (not "OAuth App") in GitHub Enterprise v3.0 (soon migrating to v3.1).
Trying to do it entirely over the API and explicitly NOT the UI, by creating an "app manifest" (https://docs.github.com/en/enterprise-server#3.0/developers/apps/building-github-apps/creating-a-github-app-from-a-manifest).
Everything I've read about permissions on docs.github.com ends up pointing over to https://docs.github.com/en/enterprise-server#3.0/rest/reference/permissions-required-for-github-apps, which does not include the specific values that can be used with the API.
On a GHE instance, there is a large list of permissions available at a URL with this pattern:
https://{HOSTNAME}/organizations/{ORG}/settings/apps/{APP}/permissions
The specific permission I'm trying set says:
Self-hosted runners
View and manage Actions self-hosted runners available to an organization.
Access: Read & write
In the documentation (https://docs.github.com/en/enterprise-server#3.0/developers/apps/building-github-apps/creating-a-github-app-from-a-manifest#github-app-manifest-parameters) there is a parameter called default_permissions.
What is the identifier (key) to use for this permission, where the value is write?
I've tried:
the documented Self-hosted runners
the guess self-hosted runners
the guess self-hosted_runners
the guess self_hosted_runners
the guess selfhosted_runners
the guess runners
…but ultimately, the actual values which can be used here are (as far as I can tell after several hours of digging and guessing) undocumented.
actions:read and checks:read appear to work. Those are also undocumented, but I was able to figure it out by looking at the URLs, making an educated guess, and testing.
All of the tutorials I can find on the internet, including those on docs.github.com, all walk you through creating a new GitHub app via the UI. I am very explicitly trying to do this over the API.
Any tips? Have I missed something? Is this not available in GHE yet?
Here is my app manifest, redacted.
{
"public": true,
"name": "My app",
"description": "My app's description.",
"url": "https://github.example.com/my-org/my-repo",
"redirect_url": "http://localhost:9876/register/redirect",
"default_events": [],
"default_permissions": {
"actions": "read",
"checks": "read",
"runners": "write"
},
"hook_attributes": {
"url": "",
"active": false
}
}
WITH the "runners": "write" line, the error message I receive says:
Invalid GitHub App configuration
The configuration does not appear to be a valid GitHub App manifest.
× Error Default permission records resource is not included in the list
WITHOUT the "runners": "write" line, the submission is successful.
The GitHub team finally updated the documentation. The permission I was looking for was organization_self_hosted_runners.
Related
I'm looking for a way to automate/script Azure DevOps project creation. I know that I can use VSTeam PowerShell module to create a project, but it does not provide a way to programmatically set project settings (the ones on the screenshot below). Is there a way to do that with PowerShell or AZ CLI? In particular I'm looking for a way to control/change these two settings:
Limit job authorization scope to current project for non-release pipelines
Limit job authorization scope to referenced Azure DevOps repositories
You can try to use Rest API:
How to use PowerShell with rest API: Modify Azure Devops Test Case Parameters Through REST API
Rest API Methods: General Settings - Get; General Settings - Update
To create a project you will need to send a POST to https://dev.azure.com/<devopsOrgName>/_apis/projects?api-version=5.0-preview.3
with a body like the below. To get the "template type" value used in the body, you will need to set a GET to https://dev.azure.com/<devopsOrgName>/_apis/process/processes?api-version=5.0-preview.1
` {
"description": "Tailspin Toys",
"name": "Tailspin_TOYS",
"capabilities": {
"versioncontrol": {
"sourceControlType": "Git"
},
"processTemplate": {
"templateTypeId": "24268e03-7eed-4ac0-a178-700881565b99"
}
}
}`
To change specific settings, that you can't find in the documentation, I would suggest using the developer tools in your browser (f12). Watch the network tab and you should see the requests going when you change your setting.
In this instance, I can see the below request when I try these settings
URL: https://dev.azure.com/<devopsOrgName>/_apis/Contribution/HierarchyQuery
Type: POST
Body:
{ "contributionIds":["ms.vss-build-web.pipelines-general-settings-data-provider"],"dataProviderContext":{"properties":{"enforceJobAuthScopeForReleases":"false","sourcePage":{"url":"https://dev.azure.com/<devopsOrgName>/<projectName>/_settings/settings","routeId":"ms.vss-admin-web.project-admin-hub-route","routeValues":{"project":"<projectName>","adminPivot":"settings","controller":"ContributedPage","action":"Execute","serviceHost":"495d404e-cdeb-496a-8496-fccf9df3d9fa (<devopsOrgName>)"}}}} }
Azure DevOps REST isn't the most documented, but when used with your browser develop tools, I haven't found something I couldn't set.
Is it possible to fork a repo that exists in a Private Project of the SourceOrganization into another Project of DestOrganization using Azure DevOps API?
No this is not available.
The question you linked to will allow you to create a one-time mirror of another repository, but you won't have any features like pull requests, diff/merge etc.
You can perform an import request to create a clone in another organization, but it completely ignores the relationship between the repos and you can't perform any pull requests across the organisations.
The code is two-step:
Create a temporary endpoint using a PAT that has at least Code (Read) access on the source organisation.
POST https://dev.azure.com/{{ORG}}/{{PROJECT}}/_apis/serviceendpoint/endpoints
{
"authorization":{
"parameters":{
"password":"{{PAT WITH ENOUGH PERMISSIONS}}",
"username":"."
},
"scheme":"UsernamePassword"
},
"name":"{{RANDOM UNIQUE NAME}}",
"type":"git",
"url":"{{CLONE URL OF SOURCE REPO}}"
}
which will respond with an endpoint ID:
{
"data":{},
"id":"72d574f0-05f1-481f-af15-f78579b374d4",
"name":"wv1w1",
"type":"git"
...
}
Then create the import:
POST https://dev.azure.com/{{ORG}}/{{PROJECT}}/_apis/git/repositories/{{NEW REPO NAME}}/importRequests
{
"parameters":{
"deleteServiceEndpointAfterImportIsDone":true,
"gitSource":{
"overwrite":false,
"url":"{{CLONE URL OF SOURCE REPO}}"
},
"tfvcSource":null,
"serviceEndpointId":"{{ID FROM PREVIOUS REQUEST}}"
}
}
It also can't be used to sync sources between different organisations.
You could cobble something together with a Azure Pipeline that pushes the changes from one org to another. Again, no "fork", but really just a sync.
I've gone through Github Rest API v3 and Github GraphQL API v4 but I'm unable to find a resource/endpoint to check if dependabot is enabled via the API?
I've gone through loads of documentation but was unable to find anything helpful.
Could someone please point me to the correct document or tell me which resource to use?
Thanks!
Now that Dependabot is merged into GitHub, there are three different features that can be enabled in addition to the dependency graph itself: two in the Security & analysis section of the settings, and the last in the Dependency graph section of the Insights tab of a given GitHub repo:
Dependabot alerts: will security alerts be generated?
Dependabot security updates: will pull requests be generated by the discovery of vulnerable dependencies?
Dependabot version updates: will pull requests be generated whenever a new version of a dependency becomes available?
(All require Dependency graph to also be enabled--and for a repo to have at least one supported package ecosystem file)
Checking if Dependabot alerts are enabled
According to the GitHub REST API Reference, you can check whether Dependabot alerts are enabled via the GitHub REST API at the following endpoint:
https://api.github.com/repos/{owner}/{repo}/vulnerability-alerts
A 204 response confirms the feature is enabled, a 404 means it is not.
Checking if Dependabot security updates are enabled
Curiously, the GitHub REST API Reference lists requests to enable or disable the feature, but not to get the current status of the feature for a given repo, and I have not been able to satisfactorily find how to get that information from the REST or GraphQL API.
GuiFalourd's answer mentions using the GraphQL API to check for the presence of a .github/dependabot.yml file. Unfortunately that isn't a 1-to-1 relationship with security updates: the file could be present without security updates enabled, or could be absent when security updates are enabled. The dependabot.yml file is used for version updates, which is related but not the same thing.
You could always use the REST API enable security updates request to ensure the feature is on, but that is not at all the same as querying its current status for a repo. If anyone does discover a way to do this without page scraping, or if GitHub adds the ability to check in the future please let me know!
Checking if Dependabot version updates are enabled
Again, this is not the same as security updates, but depending on your policy/practices it may be a 1-to-1 relationship. Use something like the following against the Graph endpoint https://api.github.com/graphql
Query
{
repository(name: "{repo}", owner: "{owner}") {
object(expression: "HEAD:.github/") {
... on Tree {
entries {
name
}
}
}
}
}
Response if file is present:
{
"data": {
"repository": {
"object": {
"entries": [
{
"name": "dependabot.yml"
}
]
}
}
}
}
Response if file is not present:
{
"data": {
"repository": {
"object": null
}
}
}
There was a dependabot API docs that could have helped, but it was deprecated in August 3rd 2021.
However, a workaround would be to check if the dependabot.yml file is present in your repository or not using a GET request to api.github.com/repos/name/repo/contents/fileNameOrPath.
Reference about the dependabot.yml file
Answer by #epopisces is to the point , I was also looking for the same thing. Now addition to what he said. Checking the status of Dependabot security updates is possible via GET request (GET /repos/{owner}/{repo}) to a particular repo , which can have security and analysis tag in response(only if we have Advanced security license). No other way to know the status yet via API.
https://docs.github.com/en/rest/reference/repos#get-a-repository
As of 2023-01-10 the Repository object type now exposes a hasVulnerabilityAlertsEnabled field in the GraphQL API. So, for example, the following query:
{
repository(name: "platform-samples", owner: "github") {
id
hasVulnerabilityAlertsEnabled
}
}
Gives the following result:
{
"data": {
"repository": {
"id": "MDEwOlJlcG9zaXRvcnk4NDQ1ODc3",
"hasVulnerabilityAlertsEnabled": true
}
}
}
Sadly, this still won't tell you if Security Updates are enabled but you can at least find out if Alerts are turned on.
Following this documentation I try to make a user following a work item but I receive the following error:
{
"$id": "1",
"innerException": null,
"message": "You are not authorized to create a subscription.",
"typeName": "System.UnauthorizedAccessException, mscorlib",
"typeKey": "UnauthorizedAccessException",
"errorCode": 0,
"eventId": 0
}
The user which tries to create the subscription is an Admin of the project. Both users have access level Basic on organization level. The request uses Basic Auth with PAT with Full Access privileges. The same request succеeds in a different (test) organization but I don't see where is the difference between.
If your users want to set up Global notification, you need to make sure they are members of the Project Collection Administrators group of the organization.
I tested it in the UI, if the user is a project admin but not a member of the PCA group, then he has no permission to perform the operation.
Thanks for providing detail on your user role & licensing, those are usually the first two things to check in cases like these.
Since you're a Project Administrator and have at least a Basic license, I'd recommend checking two things:
If you're using the same PAT when issuing both calls between organizations, make sure that you've chosen "All accessible organizations" when configuring your PAT:
Within your project, head to Project Settings > Service Connections > Security, verify that the user you're attempting to create a service connection with has access. If they don't, add them to the Endpoint Administrators group.
Again i got stuck to achive the target to trigger deployment once code is pushed to repo, I search the net but i found only old information github is updated and as per there instruction i setup all values but still not working so its look i am missing something I tried to follow the instruction but it seems old http://bytes.babbel.com/en/articles/2014-01-22-github-service-hook-for-aws-ops-works.html
The interface is confusing and i am confused because there is no connection between repo name and opswork service , so what value webhook should send to opswork service ?
Below is what i understood
Setup webhook and it will trigger and send pay load to CI or services as needed once code is pushed to repo (this part is working and send payload to some where) : But this is failing because its Payload URL should i give the opswork service url generated by git hub ?
Opswork services : This is not working ,
App
Given from AWS opswork's app : opswork ID
Stack
Given from AWS opswork's stack: opswork ID
Branch name
Here is the confussion again as per github help i need to give the SHA configured for that app in the AWS OpsWorks Console ? Why should i give SHA not the Master or the link of repo ?
GitHub api url
This is optional what should i give here ?
Aws access key
No issues
Aws secret access key
No issues
GitHub token
Optional : Created token as instructed , Both with token and without token not working.
So If you check opswork is not getting triggered , I thought when i push the changes it may work internally but not.
So its seems web hook and opswork service need to be interact at some level but unable to figure it out :(
I checked git hub help also found nothing for new interface
I checked google and stackoverflow too , but not found any thing
Kindly anyone please answer .
One alternative way would be to set up AWS CodePipeline (CodeDeploy??) to deploy to your AWS Opsworks stack.
CodePipeline is a Continuous Delivery solution from Amazon. Mid 2016 they announced that CodePipeline works with OpsWorks - see their blog announcement: AWS CodePipeline Adds Integration with AWS OpsWorks. There's some walkthroughs there too, depending on what version of OpsWorks your stack is set up for.
(It does feel a bit weird to use a deployment service to deploy to a service that has an existing deployment service... but eh, thought this might help)
The problem is with the process of Github and opswork , if there is any error then both do not report user with error.
I contacted to Github support and luckily they responded me back with error message "The security token included in the request is invalid."
Then i recopied the access key and secret key removed "GitHub api url" as blank and branch name to "master" (so it will always deploy the latest version aka head)
Also make sure you need to set permission again in opswork this is separate to IAM permission ,
Steps -> Goto your stack - Permission and edit -> add user github with permission "IAM Policies Only".
There is no interaction between web hooks and integrations . so you can make use of integration services without web hook :) .
Thanks to Stack overflow , Git-hub both :)