Skip to content

Allow GitHub App as site-level code host connection

Warren Gifford requested to merge pjlast/38733-change-gh-app-config into main

Created by: pjlast

Allows GitHub App to be used as a site-level code host connection.

I implemented it alongside the SG Cloud GitHub App implementation. The idea is to remove the SG Cloud GitHub App once we're absolutely sure we won't need it anymore.

The way GitHub App connections are handled are a bit different. GitHub App works by accessing Installations, which are accounts on GitHub where the GitHub App is installed (i.e. user accounts or organizations). Instead of using only the user's GitHub ID as their Account ID, for GH App we use a combination of "Installation_ID/GH_User_ID". This allows us to handle some obscure edge cases, for example: A user has access to OrgA/RepoB, but OrgA requires SAML auth When the user auths with GitHub, they don't initiate the SAML auth for whatever reason, but auths the rest of the repositories This causes contention in the user vs repo permissions syncing. Repo sync still sees the user has access, but the user's oauth token can't see the repo because of the SAML auth restriction.

By storing multiple identities as "Installation_ID/GH_User_ID", each installation's repo sync syncs to a unique ID, and that ID is only available if the user token has access to it as well.

Installation access is updated with each user sync, and linked accounts are expired and deleted together. The githubApp user external accounts always have NULL account data and auth data, as they are used for nothing except extra account mappings.

Test plan

Unit tests have been extended and manual testing has been done.

Merge request reports

Loading