Support multiple organizations with GitHub App Auth about ghas-enablement HOT 8 CLOSED

@jorsmatthys We had a similar challenge. I think I got this working in a way that meets your needs as well. I grabbed the installation IDs for each Org that our App was installed on and added them to a matrix in a workflow file. A job is created for each Org/App Installation ID

name: "Enable GHAS"
on:
  push:
    branches: [main, master]
  # schedule:
  #   - cron: "5 16 * * 1"
env:
  APP_ID: xxx
  APP_CLIENT_ID: xxx
  APP_CLIENT_SECRET: ${{ secrets.GHAS_ENABLEMENT_APP_CLIENT_SECRET }}
  APP_PRIVATE_KEY: ${{ secrets.GHAS_ENABLEMENT_APP_PRIVATE_KEY }}
  # APP_INSTALLATION_ID: <Set in matrix>
  # -or-
  # GITHUB_API_TOKEN= ${{ secrets.GHAS_ENABLEMENT_PAT }}

  GITHUB_ENTERPRISE: "xxx"
  ENABLE_ON: "secretscanning,dependabot"
  DEBUG: "ghas:*"
  CREATE_ISSUE: "false"
  GHES: "false"
jobs:
  enable-ghas:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        app_install_id: [<idA>, <idB>, ...]
    env:
      APP_INSTALLATION_ID: ${{ matrix.app_install_id }}
    steps:
      - uses: actions/checkout@v2
      - name: Get dependencies and configure
        run: |
          yarn
          yarn getRepos
      - name: Enable security on organization 
        run: |
          npm run start

from ghas-enablement.

Hey @jorsmatthys 👋

So I am trying to figure out how this is going to work 🤔

Would the github app not have to be installed on every org beforehand? And every github app would have its own App ID and App Private Key 🤔

I have done some digging and can't seem to have an app installed across multiple organisations easily 😢

If there was an idea of an enterprise app, that would be amazing! but I don't think there is one 😢

Keen to get your thoughts.

from ghas-enablement.

Hello :)

Apps that we host ourselves, we configure them under only one organisation, and then we can easily install them to all other organisations. So there is only one App ID and one App Private Key in that case.

To make the install buttons for the other organisations visible you have to however go to the advanced settings of the GitHub app and click on "Make this GitHub app public". (had to look for that a while as well)
So the app configuration doesn't live under the enterprise level, but it is available to the enterprise. We chose to configure the app under the organisation where we have a copy of the source code in a repo, so it isn't completely random.

from ghas-enablement.

@jorsmatthys 👋 just to make sure something, are you on GHES? (enterprise server)?

The problem with making this public on GHEC is anyone is able to install the app on their github instance I think. So it wouldn't be scoped to every org within your enterprise, it would be literally EVERY org in the whole of github.com 👀

I think this would work though for GHES. If you could confirm that, that would be great 👍

from ghas-enablement.

Hmmz thanks for the info, interesting point you make. 😃

We are on GHEC and in our case, the public page of our app does not appear to be visible outside our enterprise. I just tried to access it while being logged in with my personal user, and I get a not found. But that could be because of other settings at the enterprise level (nothing in our enterprise is made completely public).

Since the public page urls are like: https://github.com/apps/app-name that also should have given away that it is not meant to be enterprise scoped (but I didn't need the url so didn't pay attention to it).

I can't test on GHES personally.

from ghas-enablement.

@NickLiffen It seems like a hassle to have to configure multiple keys indeed, for me this can be closed for now but I leave it up to you :) I feel like a feature should be there to expose Apps internally. If I find a request for that which is still open, I will join the call. Thanks for pointing out my misconception.

from ghas-enablement.

HEy @jorsmatthys 🙇

this is 100% not your misconception at all 🙇 this is great feedback. I think, for now, getting this working is going to be quite complex. I chatted to a few internal people and I think the solution is to wait and see what comes this year to help solve this 👍 I will close this out for now, however, I will do some digging and once something becomes available, I will get around to this 👍

from ghas-enablement.

Hi @ajilty Thanks for the reply/example :) that is indeed a nice solution and it is what we ended up doing as well, we made a matrix that uses a list of organization details and a list of languages and runs the tool for every combination.

from ghas-enablement.