Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate using organisation secret for Stata License key #139

Open
Jongmassey opened this issue Sep 25, 2024 · 6 comments
Open

Investigate using organisation secret for Stata License key #139

Jongmassey opened this issue Sep 25, 2024 · 6 comments

Comments

@Jongmassey
Copy link
Contributor

Jongmassey commented Sep 25, 2024

Timebox: 1/2 day

We currently require read permission to the opensafely/server-instructions repo such that OpenSAFELY CLI can contact it to get the Stata license key.

"repositories": {
"opensafely/server-instructions": {
"permissions": {
"contents": "read"

This was added in order to enable Stata actions to be run locally within a codespace/interactive Stata development via opensafely exec. On starting a new codespace, this configuration causes a users to be prompted to authorise access to this permission request. This has caused some confusion with new users, particularly those going through the Getting Started Guide. There is a troubleshooting codespaces entry for this prompt in the docs, but it's not front-and-centre.

It would be nice if we could remove this permission and corresponding prompt.

job-runner (which is vendored into the CLI) looks for a environment variable containing the key, and if this is not set it will try to contact the github repo in question.

https://github.com/opensafely-core/job-runner/blob/a4e9cb4a1ff57f9751b970c4f6530d95755ff6bd/jobrunner/cli/local_run.py#L336-L340

There is an opensafely organisation GitHub Action Secret (thanks, @lucyb ) which contains the stata license key which is used to enable running of Stata actions in CI.

Also available are GitHub Codespace Secrets - if we were to set an opensafely organisation codespace STATA_LICENSE secret, this would set this as an env var for all codespaces started from repos in the opensafely organisation. By setting this env var, I believe we would no longer need the cross-repository permission to be configured here.

HOWEVER

Note: Organization-level secrets and variables are not accessible by private repositories for GitHub Free. For more information about upgrading your GitHub subscription

we might not be on the right plan for this I've been informed we have Github Team not Free so this should be OK

@Jongmassey
Copy link
Contributor Author

@bloodearnest has pointed out to me that we'd need to update the Stata License playbook to include the codespace secret

@Jongmassey
Copy link
Contributor Author

We currently don't have any organisation codespace secrets set
image
(thanks @lucyb for the image), we could easily set a test one to check my assumptions here

@Jongmassey Jongmassey self-assigned this Oct 1, 2024
@Jongmassey
Copy link
Contributor Author

image

image

@Jongmassey
Copy link
Contributor Author

On my own account, I have to select which repositories have access to my user codespace secret - repositories created from this template do not inherit this

@Jongmassey
Copy link
Contributor Author

Jongmassey commented Oct 1, 2024

@lucyb could you see if for an organisation-level codespace secret, it is still necessary to individually select which repos have access ?

Image

Thanks to @inglesp , we can see that we grant access to this secret to All Repositories, Private Repositories, or selected repositories.

@Jongmassey
Copy link
Contributor Author

This seems like a viable approach. We should do a test implementation of this to check our assumptions regarding opensafely CLI, and repositories created outside of the opensafely org (by members and non-members of the org)

@Jongmassey Jongmassey removed their assignment Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant