Authenticate github API requests in CI
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• Pablo-WMDE
	Jun 3 2020, 7:26 AM

Description

We are in the process of developing a little tool for doc.wikimedia.org which is able to visualize (checked-in) bundle sizes over time (T253204). It leverages (e.g. ctrl+f "dist-size") the github graphql API at the build time to find those historic sizes.

At the moment we are piggy-backing on COMPOSER_GITHUB_OAUTHTOKEN (cf. T248387) as token for this connection but it is obviously not named for this purpose and we want to be sure there is some documentation (and vetting by whoever is in charge of that) for such use.

may we get a token for use in CI (mwext-node10-rundoc-docker, mwext-node10-docs-docker-publish) via env, please?
- in case a dedicated token is created, "graphql", "dist-size", "wikibase" would be good buzz words to tag it

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		• Pablo-WMDE	T253204 Provide observability of Data Bridge bundle sizes over time
		Resolved		• Pablo-WMDE	T254319 Authenticate github API requests in CI

Event Timeline

• Pablo-WMDE created this task.Jun 3 2020, 7:26 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 3 2020, 7:26 AM

I have no idea how the token has been generated for T248387

Presumably we could have CI to expose it the same token as GITHUB_OAUTHTOKEN?

Presumably we could have CI to expose it the same token as GITHUB_OAUTHTOKEN?

No objection. We could remove the purpose from the name (as you suggested) or create one dedicated to our purpose (correctly privileged) - as per findings from @Lucas_Werkmeister_WMDE the permissions repo:status & public_repo should suffice.

To me a general GITHUB_OAUTHTOKEN sounds good, as long as it doesn’t have any sensitive permissions (we probably don’t want to let it push commits, or read private repositories – though hopefully the production secrets aren’t on GitHub at all). A special-purpose variable would also work, of course.

Jdforrester-WMF moved this task from Untriaged to Next on the Continuous-Integration-Infrastructure board.Jun 11 2020, 5:03 PM

@bd808 @Reedy do you know how the Github token for CI got generated ( T248387#6000432 ) ?

This task is about having an unprivileged token and I assume that is the case of the token that got created. Then we can expose it as both COMPOSER_GITHUB_OAUTHTOKEN and GITHUB_OAUTHTOKEN.

In T254319#6216101, @hashar wrote:

@bd808 @Reedy do you know how the Github token for CI got generated ( T248387#6000432 ) ?

This task is about having an unprivileged token and I assume that is the case of the token that got created. Then we can expose it as both COMPOSER_GITHUB_OAUTHTOKEN and GITHUB_OAUTHTOKEN.

The token belongs to the GitHub account https://github.com/composer-ratelimits-suck. I have the password if you want it.

In T254319#6216101, @hashar wrote:

This task is about having an unprivileged token and I assume that is the case of the token that got created. Then we can expose it as both COMPOSER_GITHUB_OAUTHTOKEN and GITHUB_OAUTHTOKEN.

The token belongs to a completely unprivileged user, so I'd say feel free to expose it wherever it is needed. Probably best not to literally put it in git or on a wiki page, but injecting into Jenkins jobs as an envvar is what I set it up for.

Lydia_Pintscher added a project: Wikidata.Aug 25 2020, 1:00 PM

This is working for us - the variable from which this is sourced may not be ideal(?) but it's not hurting operation.

Thanks for making this fly!

hashar moved this task from Next to Done on the Continuous-Integration-Infrastructure board.Jun 4 2021, 9:52 AM

bd808 mentioned this in T329679: Set up mirror of the docker hub registry for gitlab-runners.Feb 15 2023, 8:52 PM

Authenticate github API requests in CIClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Authenticate github API requests in CI
Closed, ResolvedPublic
Actions

Related Objects
Search...