-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate using organisation secret for Stata License key #139
Comments
@bloodearnest has pointed out to me that we'd need to update the Stata License playbook to include the codespace secret |
We currently don't have any organisation codespace secrets set |
On my own account, I have to select which repositories have access to my user codespace secret - repositories created from this template do not inherit this |
This seems like a viable approach. We should do a test implementation of this to check our assumptions regarding opensafely CLI, and repositories created outside of the opensafely org (by members and non-members of the org) |
Timebox: 1/2 day
We currently require read permission to the opensafely/server-instructions repo such that OpenSAFELY CLI can contact it to get the Stata license key.
research-template/.devcontainer/devcontainer.json
Lines 23 to 26 in c083d8f
This was added in order to enable Stata actions to be run locally within a codespace/interactive Stata development via
opensafely exec
. On starting a new codespace, this configuration causes a users to be prompted to authorise access to this permission request. This has caused some confusion with new users, particularly those going through the Getting Started Guide. There is a troubleshooting codespaces entry for this prompt in the docs, but it's not front-and-centre.It would be nice if we could remove this permission and corresponding prompt.
job-runner (which is vendored into the CLI) looks for a environment variable containing the key, and if this is not set it will try to contact the github repo in question.
https://github.com/opensafely-core/job-runner/blob/a4e9cb4a1ff57f9751b970c4f6530d95755ff6bd/jobrunner/cli/local_run.py#L336-L340
There is an
opensafely
organisation GitHub Action Secret (thanks, @lucyb ) which contains the stata license key which is used to enable running of Stata actions in CI.Also available are GitHub Codespace Secrets - if we were to set an
opensafely
organisation codespaceSTATA_LICENSE
secret, this would set this as an env var for all codespaces started from repos in the opensafely organisation. By setting this env var, I believe we would no longer need the cross-repository permission to be configured here.HOWEVER
we might not be on the right plan for thisI've been informed we have Github Team not Free so this should be OKThe text was updated successfully, but these errors were encountered: