$ curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.64.7
go install mvdan.cc/gofumpt@latest
go install github.com/daixiang0/gci@latestgo run github.com/abcxyz/github-token-minter/cmd/minty@main \
private-key import \
-key=${KEY_NAME} \
-key-ring=${KEY_RING_NAME} \
-project-id=${PROJECT_ID} \
-private-key=@${KEY_FILE_NAME}You need a GitHub App in your GitHub org.
To do this go to your org settings page: https://github.com/organizations/${YOUR_ORG}/settings/profile
- Expand Developer settings (last option on left sidebar) and click GitHub Apps.
- Click "New GitHub App" on top right.
- Give your App a name and Homepage URL (it doesn't matter what you have there).
- Note where "Webhook" is. Uncheck "Active" for now, we will configure later.
- Expand "Repository Permissions". Add following:
- Actions: Read-only
- Administration: Read and Write
- Metadata: Read-Only
- Expand "Organization Permissions". Add following:
- Administration: Read and Write # TODO: is this needed?
- Self-hosted runners: Read and Write
- Click "Create GitHub App" at bottom of screen.
- Find your app listed in Developer Settings in your org settings page.
- Take note of App ID
- Click Edit
- Scroll down to almost the bottom for "Private Keys"
- Click "Generate a private key"
- A .pem file will be downloaded. This is a secret. Keep it safe.
Now that the GitHub App exists, it needs to be added to your org.
- Navigate to Org setting page https://github.com/organizations/${YOUR_ORG}/settings/profile
- Expand Developer settings (last option on left sidebar) and click GitHub Apps.
- Select Your App
- On the left bar, select "Install App"
- Select your org.
Prereqs: Sudoless docker installed. Not currently set up to work with GitHub Enterprise Server.
Now we have an app and a .pem key, we should be able to create JIT configs. These are one-time tokens that allow a runner to register itself with GitHub.
test_local.sh is set up for this. You just need to change a few values in
the go run command under # Generate JIT Config:
- Set app-id to the app id found in Step 8. of GitHub App Creation.
- Set
private-keyto the path of your.pemfile you downloaded. - Set
orgto the name of your GitHub org. - Set
runner-group-idto the value of your runner group. You can just use1which is the default runner group added to each org.
Now run the script. You should see it build the image, then see output for runner startup and finally see it waiting for a request.
If this doesn't happen, something went wrong, you should figure it out before continuing.
TODO
The CI/CD pipeline for this project includes a workflow to test pull requests that modify the webhook. This workflow deploys a temporary, isolated instance of the webhook to the autopush environment and runs a series of tests against it.
To enable secure end-to-end testing, a dedicated webhook secret named webhook-pr-test-secret is used. This secret is managed as a permanent resource in the google-infra-gcp repository and is stored in Google Cloud Secret Manager in the action-dispatcher-webhook-a-18 project.
The github-automation-bot service account has the roles/secretmanager.secretAccessor permission for this secret, allowing the CI/CD pipeline to fetch it and use it to sign mock webhook payloads.
If this secret needs to be rotated, follow these steps:
-
Generate a new secret value:
openssl rand -hex 32
-
Add the new value as a new version to the existing secret: You must have the
secretmanager.secretVersionAdderIAM role on theaction-dispatcher-webhook-a-18project to perform this action.printf "YOUR_NEW_SECRET_VALUE\n" | gcloud secrets versions add "webhook-pr-test-secret" --data-file=- --project="action-dispatcher-webhook-a-18"
-
The CI/CD workflow will automatically pick up the
latestversion of the secret.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
![@gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=64&v=4){kind=small}