[Feat]: Template synchronization across multiple github organization

Open alexvanderberkel opened this issue 1 year ago • 15 comments

Describe the feature

Supporting for template synchronization for multiple GitHub organization. If you work with private repository within an Enterprise Organization, the token of a GitHub app are bound to one organization only.

Currently, the template synchronization GitHub action uses only one github_token. If the scripts could use multiple github_token or if you could specify a source and destination github token that are being used later on, you could have template synchronization most likely across multiple GitHub organization under an enterprise umbrella. The teams would be required to somehow "share" the credentials and figure out a least privilege approach but the synchronization could be possible I guess.

Within the action it could look like this: `

  - uses: actions/create-github-app-token@v1
    id: app-token-org-destination
    with:
      app-id: ${{ secrets.ORG_DESTINATION_APP_ID }}
      private-key: ${{ secrets.ORG_DESTINATION_PRIVATE_KEY }}
  
  - uses: actions/create-github-app-token@v1
    id: app-token-org-source
    with:
      app-id: ${{ secrets.ORG_SOURCE_APP_ID }}
      private-key: ${{ secrets.ORG_SOURCE_PRIVATE_KEY }}

  - name: actions-template-sync
    uses: AndreasAugustin/actions-template-sync@v2
    with:
      source_github_token: ${{ steps.app-token-org-source.outputs.token }}
      source_repo_path: Uniper-Streaming-Integration-Platform/confluent-cloud-terraform-template
      destination_github_token: ${{ steps.app-token-org-destination.outputs.token }}
      upstream_branch: main`

`
The push function would most like need to use the token of the destination as far as I could figure out.

Use Case

Support template synchronization across multiple GitHub organization with private repositories

Proposed Solution

No response

Acknowledgements

[ ] I may be able to implement this feature request

Dec 09 '24 16:12 alexvanderberkel

Hi @alexvanderberkel and thanks for the approach.

Actually what I understand you like to have this action in one repo and push to other repos? Currently the way the action is working is that you need to have the workflow definition inside the target repository. So having in each repo the yaml definition with the same source is actually the way how you could solve it today?

Dec 09 '24 16:12 AndreasAugustin

We are running it currently in the target repo. We get it running towards the source but then it is failing against the target. I think the reason is that the github_token that is being injected belongs to the source github organization. Once the push action towards the target organization is carried out it will use the token of the source organization and not if the target organization. Maybe I'm wrong in my understanding?

Dec 09 '24 18:12 alexvanderberkel

We are running it currently in the target repo. We get it running towards the source but then it is failing against the target. I think the reason is that the github_token that is being injected belongs to the source github organization. Once the push action towards the target organization is carried out it will use the token of the source organization and not if the target organization. Maybe I'm wrong in my understanding?

Thanks for the clarification. Totally misunderstood your issue and use case. Hmm 🤔 reading the code I can verify that with current implementation your use case is not working. Actually I think this is even a bug. Need to think about the issue. It is overriding the GITHUB_TOKEN env vatiable for the step. Currently I think with a slight modification this should be solvable with a rename of the env variable. Then your use case should work without a change of the current parameters.

Dec 09 '24 21:12 AndreasAugustin

Absolutely no problem Andreas! In that case I haven't made myself clear enough. Thanks for all the work you put into this GitHub Action. Much appreciated your work.

Is the token that is being overwritten the token of the pipeline? So I think you are right if we change name of variable slightly and it should be able to work without changing the current parameters.

Dec 10 '24 08:12 alexvanderberkel

Hi Andreas, can I help somehow in the development or testing ?

Jan 07 '25 07:01 alexvanderberkel

Hi @alexvanderberkel and thanks for your offer. Development and testing is always welcome.

Do you like to take over the task?

Jan 07 '25 21:01 AndreasAugustin

I can give it a first try :-)

Jan 08 '25 08:01 alexvanderberkel

@all-contributors please add @alexvanderberkel for code and ideas and review

Jan 10 '25 16:01 AndreasAugustin

@AndreasAugustin

I've put up a pull request to add @alexvanderberkel! :tada:

Jan 10 '25 16:01 allcontributors[bot]

@AndreasAugustin I think I got it working. There is a new command "gh auth switch" that allows you to switch between two accounts. Unfortunately, we can't use the GH_TOKEN in the scripts. I believe this is reserved in the cli. In order to get it working I had to use a target_gh_token and a srouce_gh_token variable as the cli otherwise would like to unset the gh_token and constantly got stuck in the process.

I have added a new test for a github app as well. Within this run https://github.com/alexvanderberkel/actions-template-sync/actions/runs/12744697512/job/35517145849 you can see that the runner is logged into default github app that each run is using (target_gh_token) and into the source github (source_gh_token) if the repository would be private.

It might not fully working here and there but I think we are very close.

https://github.com/cli/cli/discussions/8403#discussioncomment-11819521 some more information about where the gh_token is being used.

Let me know what you think

Jan 13 '25 10:01 alexvanderberkel

#598 is a preparation to be able to push into a different repository then the one where the action is located. And it is now possible to pull from a repo within a different organisation

Jan 31 '25 19:01 AndreasAugustin

@AndreasAugustin There is still an error on the target org push. Still trying to figure out what the issue is. Any ideas? https://github.com/alexvanderberkel/actions-template-sync/actions/runs/13390630921/job/37397335055

Feb 18 '25 12:02 alexvanderberkel

@AndreasAugustin There is still an error on the target org push. Still trying to figure out what the issue is. Any ideas? https://github.com/alexvanderberkel/actions-template-sync/actions/runs/13390630921/job/37397335055

I think yes. The checkout step checks out the current repo. You need to checkout the target repo. Just add the path to the checkout step. Don't know the parameter out of the back of my head.

With current setup both histories within the action and the target are completely different.

Feb 18 '25 20:02 AndreasAugustin

I had the same idea as well @AndreasAugustin. This leads to a different error as the action.yaml is not known to the run any longer. https://github.com/alexvanderberkel/actions-template-sync/actions/runs/13390557067/job/37397116461

Feb 18 '25 21:02 alexvanderberkel

I had the same idea as well @AndreasAugustin. This leads to a different error as the action.yaml is not known to the run any longer. https://github.com/alexvanderberkel/actions-template-sync/actions/runs/13390557067/job/37397116461

Yes. Understood. The issue is that on the runner the file you are referencing in your sync step is missing. Because you are using a local path. This won't happen when someone will use the action itself from the marketplace. So this is an issue for your current test.

Hmmm 🤔 how to solve this? (Possible solution is to have the action files also located within the target repo.) Or maybe easier for the current phase you reference a branch within your current repo. Maybe best is to use your current branch name because then it is using your latest changes when using the action. So uses: @

Feb 18 '25 22:02 AndreasAugustin