Consider implementing as a GitHub App about opensource-management-portal HOT 9 CLOSED

We are trying to implement this code in our organization and I think we are running into a blocking issue based on this. When a new user logs in and is not part of an organization, they are unable to join the organization because the don't have the rights to do so. If the app were running at a GitHub app, we could grant those permissions to the app. Is there a way around this based on the current code?

from opensource-management-portal.

Rob: do you know which specific permission is causing the issue?

There's two things that need to happen to allow auto-accepting of invitations to work:

1. The actual token configured for the application has to come from an organization owner account (a personal access token is OK) - this is to allow inviting people to the org
2. The end user needs to have allowed the "increased" scope token with the org:write permission. This way, the app can "accept" the org invitation on behalf of the user immediately.

If you do not have #2, that's OK, the user will still receive the standard GitHub invitation either way and can accept it.

Sounds like perhaps the token you are using for the organization itself is not for an owner? Let me know how I can help.

As a general note, please have whoever is helping get this up and running open GitHub issues here or reach out to me over e-mail. We love that some people are experimenting or using this, but we do have a lot of Microsoft-specific logic and code that we've either tried to feature flag out or need to refactor. We do not often explore the app outside of those feature flags, so realize there are probably some bugs in there!

from opensource-management-portal.

I re-created a PAT from my account (I am an organization owner) just to make sure, but we are getting this error:

We are having trouble sending you an invitation through the GitHub organization to join the xxx organization. zzz Error message: You must be an organization owner or team maintainer to add a team membership.

But, I think I know what the issue might be. You gave me a template for the organizations file. I replaced the number, but I think they might be some internal id for a GitHub team. If that is the case, we should probably create our own teams and get the ids. How are these teams used?

[
{
"name": "",
"type": "private",
"ownerToken": "",
"description": "",
"teamAllMembers": "1111111",
"teamPortalSudoers": "222222",
"teamSudoers": "3333333",
"templates": ["mit", "microsoft.docs", "dnfmit", "other"],
"teamAllReposRead": "444444",
"teamAllReposWrite": "555555",
"cla": {
"Microsoft": "666666",
".NET Foundation": "7777777"
}
}
]

from opensource-management-portal.

The teamAllMembers is used to send an invitation for someone to join the organization. While technically the API allows joins independent of a team invite, when this was implemented in mid-2015, this was the only way to invite someone via an API.

The end result, which is opinionated but liked, was being able to have basically an 'Everyone' team, so if someone wanted to give read access to a private repo to everyone, that would be easy, regardless of the org-wide permissions. This feature may not be too useful. In the latest refactor the teamAllMembers is actually internally exposed as organization.invitationTeam but the config property has not changed its name.

To learn the GitHub IDs for an organization's teams, to help with onboarding, if you add a property onboarding: true to an organization in the config, instead of actually including it in the running app, during startup code will hit the GitHub API with the ownerToken and show you a mapping of team ID to name, to help complete this information.

from opensource-management-portal.

How are the other teams used? Or can they be omitted?

from opensource-management-portal.

It's fine to omit the rest. Portal sudoers and team sudoers might be eventually nice to have, they let people use the portal like an org owner, without having to be one, for some operations.

from opensource-management-portal.

It was the teamAllMembers. Once we get this thing live, we will try to commit some documentation and a couple of fixes we needed to make to get it to run as a container.

from opensource-management-portal.

Cool, thanks. We're running in a Kubernetes cluster on our side, I'll try and get that in so we can compare notes.

from opensource-management-portal.

Merged GitHub App support, finally. We're using it now across 84 organizations x4 apps each. A number of GitHub App bugs were discovered unfortunately so there are issues...

from opensource-management-portal.