This repository has been archived by the owner on Sep 30, 2024. It is now read-only.
Excessive admin work required to set up an enterprise-wide Github EMU code host #63783
Comments
|
Thanks @twarit-waikar ! We're blocked by GitHub here unfortunately. On the Sourcegraph side we could allow a GitHub App connection to iterate over all the orgs it has been installed on, but that still requires the App to be installed on each individual org on the GitHub side |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Setting up a Github code host in an EMU environment requires quite a few adjustments from admins on both Sourcegraph and the Github EMU admin side if we plan for 100% code coverage.
The first step is to get the Sourcegraph IPs whitelisted from the Github EMU side for every org.
Next is to set up the code hosts on Sourcegraph.
1. Using a Github app
If our goal is 100% coverage in EMU, using a Github app to set up the code host requires the app to be installed on every single org that we have, with access to private repos as well. We can perform the app installation steps manually (including the authentication using our IdP, the IdP auth comes as a part of the EMU mandates in our case).
Next up the org needs to be explicitly allowed via the admin, for the Github user (that we've also used in the code host) to be able to clone user permissions.
2. Using a PAT
Again, if the goal is 100% coverage, the user needs to be added to the orgs as a collaborator, then the token we generate needs to be explicitly authorized to access every single org we need indexed. This again is a redirect to the IdP. This kind of an authorization is a single time process but as the number of orgs increase, this is not a suitable option (we can get 100s of orgs created at once).
Similar to above, these orgs need a 1-time approval from the Github EMU admin for the user that Sourcegraph is using to be able to clone user permissions.
The token authorization step can be worked around by using Selenium but still it doesn't account for new orgs that get added, requiring another Selenium run to authorize the token to access the new orgs, on a regular cadence.
There is a possibility to fix this if we went the Github app route and Github implemented a way to install apps on an enterprise level, or on orgs using an API (so that Sourcegraph can hit those APIs on it's own instead of needing manual intervention). However, the Github approval required on the EMU admin side will also need changes from Github.
In the current state, it is virtually impossible to onboard a large number of orgs to EMU at once onto Sourcegraph.
The text was updated successfully, but these errors were encountered: