ci: add workflow for team sync #224
Conversation
Triggers a sync when a TEAMS yml file is updated. Signed-off-by: Beth Griggs <bethanyngriggs@gmail.com>
Rugvip
left a comment
Rugvip
left a comment
There was a problem hiding this comment.
Assuming the script works as expected, workflow looks good! 👍
|
Any updates on the token needed for this? 🙏🏻 |
|
@BethGriggs did you verify that the current credentials don't work? I had a look at the token scopes and as far as I could find it's a classic token with |
|
Sorry, I am not sure I am following the last comment. Is the implication that Either way, the workflow is pretty minimal is it should good to ship, I think we just need to know which named secret it should use. |
|
Ah yes ofc, was assuming that this was using the existing secret for some reason but a separate one is better for sure. |
|
Ah, realized this very much won't work though since the service account doesn't have access to add and remove team members. Thinking we might need to use an app for this instead? 🤔 Not to happy having an org owner token in there either |
|
Hmm, do you know if that involve refactoring the script to use an app, as described in the GitHub docs - Authenticating as a GitHub app? |
|
Yep, as far as I can tell. I've created an app and installed it and added the following secrets to this repo with corresponding values:
Here's another place where we set up auth in workflows using app credentials: https://github.com/backstage/actions/blob/b3c1841fd69e1658ac631afafd0fb140a2309024/lib/createAppClient.ts#L3 |
|
Hi @BethGriggs, will you be able to pick this up or do you want us to find someone else to keep it moving forward? |
3 participants
Triggers a sync when a TEAMS yml file is updated.
Note that this would rely on
GITHUB_TOKEN: ${{ secrets.GH_TEAM_SYNC_TOKEN }}being created with appropriate permission to manage teams. I couldn't find a token/app used elsewhere with these permissions - but, it might be good to have a fine-grained scope for this token anyway?