-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
REQUEST: Repository maintenance on open-telemetry/opentelemetry.io
#2234
Comments
There are multiple PATs associated with that account. Based on this doc, I assume the one we're talking about is "OpenTelemetry GitHub Org Secret". According to this document, anyone with write access to a repository can assign issues and pull requests. Does this mean we need to assign the bot the |
@jack-berg thanks for looking into this, the current issue is that the bot can not identify the groups, I guess it is admin:org > read:org?
|
Yes that seems reasonable. Can you open a PR to update the OpenTelemetry Bot asset doc, indicating that it has this new scope and a brief explanation of what use cases it enables? |
Will do! |
After trying out a few variations of that, the issue boils down to the problem that @opentelemetrybot does not have the right permissions on the opentelemetry.io repository to request code reviews. Only if at least “Important: You do not need to (and should not) give this account any permissions to any OpenTelemetry repository.” https://github.com/open-telemetry/community/blob/main/assets.md#opentelemetry-bot |
The PR that introduced that note on not assigning permissions to the bot: By using component owners and not CODEOWNERS we would reduce the number of members with write permissions significantly, and replace it with the bot having triage permissions. I think that this would be better. |
I think the idea at the time was that we would give out individual fine-grained @opentelemetrybot tokens for anything that needed write access to a repo |
Thanks for clarification. In this particular use case we would not even need write permissions, triage would be fine, would we have any concerns with that? Looking through the permissions I don't see anything I would be concerned about: |
with the new PAT |
It works also in the workflow, I just tested it 🎉 One last question: the key will expire in 12 months from now? How do we make sure that we reset the value early? |
@svrnm It looks like @opentelemetrybot still has triage access to the website repo. Can you remove that access and see if it still works? Thanks!
Can you open a new issue for this, and we can add it to the Infrastructure SIG project board? I think @austinlparker was right about possibly needing some automation (in this case reminders?) around opentelemetrybot token maintenance. |
I thought I had removed it before :-/ without these permissions we are back to the error:
I will keep the permissions set to have the workflow working right now, later when we are all available we can remove them once again and get it working without it. |
Not sure. Low tech way is to set a reminder and followup. |
@svrnm marking this as resolved - feel free to re-open if there is more to do. |
@jack-berg the opentelemetrybot still has "triage" permissions on the opentelemetry.io repository, without I get an error. If we can leave it like that, I am fine, otherwise we need to figure out what's missing for that token |
I wonder if the token needs I've run into a semi-related issue before: |
Maybe? Probably we need to try. Can we (@trask @jack-berg and I) find some time in early September to sit together for ~1hr and work on this in sync? It works right now with the |
Affected Repository
https://github.com/open-telemetry/opentelemetry.io
Requested changes
Upgrade the opentelemetry bot PAT (OPENTELEMETRYBOT_GITHUB_TOKEN) to have permissions to assign issues
Purpose
Since CODEOWNERS requires teams to have write permissions on a repository, there are currently lots of groups with that permission on the otel.io repo, to reduce that requirement, we want to roll out @dyladan's componentowner workflow. To make this workflow work with github teams (like
open-telemetry/docs-approvers
) the workflow needs a PTA that has the permission to assign an issue. The normal GITHUB_SECRET lacks the visibility into the org for that.See https://github.com/dyladan/component-owners?tab=readme-ov-file#using-own-access-token for more details on required settings
Expected Duration
permanently
Repository Maintainers
@open-telemetry/docs-maintainers
The text was updated successfully, but these errors were encountered: