Skip to content
This repository was archived by the owner on Sep 30, 2024. It is now read-only.
This repository was archived by the owner on Sep 30, 2024. It is now read-only.

Excessive admin work required to set up an enterprise-wide Github EMU code host #63783

Open
Open
Excessive admin work required to set up an enterprise-wide Github EMU code host#63783
@twarit-waikar

Description

@twarit-waikar
twarit-waikar
opened on Jul 11, 2024
  • Sourcegraph version: 5.3.1
  • Platform information: RHEL9, AWS

Setting up a Github code host in an EMU environment requires quite a few adjustments from admins on both Sourcegraph and the Github EMU admin side if we plan for 100% code coverage.

The first step is to get the Sourcegraph IPs whitelisted from the Github EMU side for every org.

Next is to set up the code hosts on Sourcegraph.

1. Using a Github app

If our goal is 100% coverage in EMU, using a Github app to set up the code host requires the app to be installed on every single org that we have, with access to private repos as well. We can perform the app installation steps manually (including the authentication using our IdP, the IdP auth comes as a part of the EMU mandates in our case).

Next up the org needs to be explicitly allowed via the admin, for the Github user (that we've also used in the code host) to be able to clone user permissions.

2. Using a PAT

Again, if the goal is 100% coverage, the user needs to be added to the orgs as a collaborator, then the token we generate needs to be explicitly authorized to access every single org we need indexed. This again is a redirect to the IdP. This kind of an authorization is a single time process but as the number of orgs increase, this is not a suitable option (we can get 100s of orgs created at once).

Similar to above, these orgs need a 1-time approval from the Github EMU admin for the user that Sourcegraph is using to be able to clone user permissions.

The token authorization step can be worked around by using Selenium but still it doesn't account for new orgs that get added, requiring another Selenium run to authorize the token to access the new orgs, on a regular cadence.

There is a possibility to fix this if we went the Github app route and Github implemented a way to install apps on an enterprise level, or on orgs using an API (so that Sourcegraph can hit those APIs on it's own instead of needing manual intervention). However, the Github approval required on the EMU admin side will also need changes from Github.

In the current state, it is virtually impossible to onboard a large number of orgs to EMU at once onto Sourcegraph.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions