-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce SSO for our GitHub organisation #5740
Comments
Pausing work for a sprint to allow users to adopt, other feature work to proceed. |
@kenoir I think this is completed, isn't it? Can this be closed? |
Not yet, we still have weco-bot. We could schedule some work next sprint to look at this again. |
What is weco-bot?weco-bot is a machine user on GitHub that we use for a variety of automated actions. I believe this list to be exhaustive:
How does it interact with GitHub?weco-bot's current actions are achieved through 3 mechanisms:
That is to say that weco-bot's identity is assumed by our CI servers using either:
How can we use a GitHub app instead?Authenticating as an app installation is appropriate for all of these use cases.
While this seems straightforward, the mechanics of getting the access token in the right place are really quite complex. To get an installation access token, a machine first needs access to the app's private key in order to create a signed JWT with which to request the token. My guess at a minimal implementation would involve something like the following:
This is quite achievable but not trivial - are we sure that the benefits of enforcing SSO outweigh the complexity/risk involved in this solution? There is of course an alternative approach where SSO is enforced and we create a machine user identity in Azure AD - is that a better solution? |
@agnesgaroux to have a look whether or not this can be closed/create new tickets if needed. |
TO DO
|
The final part of this is migrating from Buildkite to GitHub actions so the weco-bot credentials are not required to allow that build system to check out from GitHub. See #5783 |
We now have a GitHub enterprise supported account, we should take advantage of SSO.
We will need to:
The text was updated successfully, but these errors were encountered: