Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

REQUEST: Repository maintenance on opentelemetry-collector-contrib #1659

Closed
atoulme opened this issue Aug 28, 2023 · 24 comments
Closed

REQUEST: Repository maintenance on opentelemetry-collector-contrib #1659

atoulme opened this issue Aug 28, 2023 · 24 comments
Assignees
Labels
area/repo-maintenance Maintenance of repos in the open-telemetry org

Comments

@atoulme
Copy link
Contributor

atoulme commented Aug 28, 2023

Affected Repository

https://github.com/open-telemetry/opentelemetry-collector-contrib

Requested changes

Add a new PAT from the opentelemetry-bot with specific permissions to query the Github API for organization members.

Purpose

We are rolling out a tool that needs to get access to organization members list to check for codeowners.

See open-telemetry/opentelemetry-collector-contrib#20868 and open-telemetry/opentelemetry-collector-contrib#24638

Expected Duration

Permanently.

Repository Maintainers

  • @open-telemetry/collector-contrib-maintainer
@atoulme
Copy link
Contributor Author

atoulme commented Sep 29, 2023

Can I get any help on this? We are missing CI checks because of this, and it created regressions in our repository, specifically open-telemetry/opentelemetry-collector-contrib#27267

@tigrannajaryan
Copy link
Member

@open-telemetry/technical-committee who has access to opentelemetry-bot?

@tigrannajaryan
Copy link
Member

Add a new PAT from the opentelemetry-bot with specific permissions

@atoulme what are the permissions you need?

@jpkrohling
Copy link
Member

I have, and I'm looking into this right now. I'm struggling to figure out exactly which permissions are needed.

@atoulme
Copy link
Contributor Author

atoulme commented Oct 2, 2023

It needs "read:org, read:user"

@jpkrohling
Copy link
Member

I was able to generate the token, but I can't seem to be able to create the secret in that repo 🤦🏽 I guess someone from the TC will have to do both steps. @tigrannajaryan, would you do the honors?

@trask
Copy link
Member

trask commented Oct 2, 2023

I was able to generate the token, but I can't seem to be able to create the secret in that repo 🤦🏽 I guess someone from the TC will have to do both steps.

ya, this is the motivation behind #1652

@tigrannajaryan
Copy link
Member

I was able to generate the token, but I can't seem to be able to create the secret in that repo 🤦🏽 I guess someone from the TC will have to do both steps. @tigrannajaryan, would you do the honors?

@jpkrohling can you put the secret in our 1password, give me access to it and tell me what setting do you want in the repo to be updated?

@jpkrohling
Copy link
Member

Sorry for taking so long, I lost track of this one. I just created an entry in our 1password, within the OpenTelemetry Collector vault. I also added you to that vault, as I wasn't sure you'd have access to it. Given you are part of the TC, I believe you should.

@atoulme, other than the secret, do you need anything else updated in this repo?

@tigrannajaryan
Copy link
Member

@atoulme please tell what exactly you need to be done on the repo, I am not sure I understand.

@atoulme
Copy link
Contributor Author

atoulme commented Nov 1, 2023

I need a secret containing a PAT with the permissions "read:org, read:user" that we can reference as a secret in a github action runners workflow so we can query members of the organization to check codeowners.

@tigrannajaryan
Copy link
Member

@atoulme
Copy link
Contributor Author

atoulme commented Nov 2, 2023

Thanks working with that.

@bogdandrutu
Copy link
Member

Closing since @atoulme confirm it works.

@atoulme
Copy link
Contributor Author

atoulme commented Dec 21, 2023

Sorry, it didn't work. I just never had time to get back into this.

@trask
Copy link
Member

trask commented Jan 2, 2024

Sorry, it didn't work. I just never had time to get back into this.

reopening

@atoulme can you provide any more details / logs / errors that might help?

@trask trask reopened this Jan 2, 2024
@atoulme
Copy link
Contributor Author

atoulme commented Jan 3, 2024

The gh client doesn't work with username and password of the user. It would be best to remove those secrets from the repository, in case someone finds a way to abuse our checks and use those to login as opentelemetry-bot.

Here is what I would need. Logged in as the opentelemetry-bot user, you can generate a token using the following steps:

  • Go to https://github.com/settings/apps (Developer Settings)
  • Click on Personal Access Tokens and select Tokens (classic). It should get you to https://github.com/settings/tokens
  • Click on "Generate new token" up to the right, and select "Generate new token (classic)"
  • In the dialog, select the permission "read:org": Screenshot 2024-01-02 at 15 58 49
    ** Give a name to the token of your choosing
    ** Set up a rotation time for the token
  • Click "Generate token"
  • Copy the token value (should start with ghp_) into a github secret on the repository opentelemetry-collector-contrib.

@atoulme
Copy link
Contributor Author

atoulme commented Feb 14, 2024

hello folks, any upate on this issue?

@arminru arminru self-assigned this Mar 27, 2024
@arminru
Copy link
Member

arminru commented Mar 27, 2024

Hi @atoulme! Are you saying that the new PAT should replace the existing secrets OTEL_BOT_USERNAME and OTEL_BOT_PASSWORD in https://github.com/open-telemetry/opentelemetry-collector-contrib/settings/secrets/actions, or should it be added in addition to it?

@arminru
Copy link
Member

arminru commented Mar 27, 2024

@tigrannajaryan I see a PAT called opentelemetry-collector-contrib-1659 in the @opentelemetrybot account but it was never used. Is that the PAT you added for OTEL_BOT_PASSWORD already?

@tigrannajaryan
Copy link
Member

@tigrannajaryan I see a PAT called opentelemetry-collector-contrib-1659 in the @opentelemetrybot account but it was never used. Is that the PAT you added for OTEL_BOT_PASSWORD already?

@arminru I think yes, that's it, but I can't remember for certain.

@arminru
Copy link
Member

arminru commented Mar 27, 2024

@atoulme I re-generated the aforementioned token and stored it under READ_ORG_AND_USER_TOKEN in collector-contrib. I also removed the unused OTEL_BOT_USERNAME and OTEL_BOT_PASSWORD secrets from the repo. Since the former PAT was used as the "password", it would be invalidated now anyway and I think for PAT authentication you don't even need to know the username.

@atoulme
Copy link
Contributor Author

atoulme commented Mar 28, 2024

OK, I will try this out. I appreciate the help!

codeboten pushed a commit to open-telemetry/opentelemetry-collector-contrib that referenced this issue Apr 3, 2024
This PR introduces a check backed by a github token that tests the
content of .github/CODEOWNERS against the metadata of all the
components. Given that a token is used, and won't be present in builds
running with forks, this check is only made on the main branch of the
repository `open-telemetry/opentelemetry-collector-contrib`.

As such, I can't really test if it all works. The token is provisioned
by open-telemetry/community#1659. More context
in
#30552
@atoulme
Copy link
Contributor Author

atoulme commented Apr 3, 2024

It worked! We're good now. Thanks for all your help, closing.

@atoulme atoulme closed this as completed Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/repo-maintenance Maintenance of repos in the open-telemetry org
Projects
None yet
Development

No branches or pull requests

6 participants