[GH Request] Create a new bot that runs repo health job on openedx repos

[ohnickmoy]

Firm Name

2U

Urgency

Medium (< 2 weeks)

Problem/Request

Carry over from #717

As discussed from the above linked issue, Axim and 2U decided to have a separate bot user run the repo health check on their repos so that security practices don't get exposed to each other.

Information in regards to this comment:

1. The code is from the repo health check repo. Details on how it works can be found here. The jenkins job that currently runs this is daily
2. As mentioned before, automation most likely is github action. Arch-BOM was working on something for it. See here
3. Output is to a spread sheet. https://docs.google.com/spreadsheets/d/1VCxNVq-niT-uv5BFmsYPF21r6I2-IQ-GJbidF0zUPBc/edit#gid=2112698716

Other steps:

1. Create the bot
2. Grant it write access

Reasoning

This is mainly for getting information for dependabot alerts into the spreadsheet so that repo owners are on top of things when updating repos and keeping things secure

[openedx-workflow-automation]

Thank you for your report! @openedx/axim-oncall will triage within a business day. Simple requests usually take 2-3 business days to resolve; more complex requests could take longer.

[e0d]

@kdmccormick it seems like you are already in the weeds on this, should you be the assignee?

[kdmccormick]

@e0d I'm at capacity right now, but I could work on this next time I'm on call, 5/29-6/9.

[e0d]

@ohnickmoy does that delay work for you or do you need this sooner?

[rgraber]

I was the original requester. We're in no particular rush, this is just a relatively long-standing issue we wanted to address.

[kdmccormick]

Sounds good, I'll take a look in early June then.

[kdmccormick]

(late June)

[kdmccormick]

@ohnickmoy @rgraber Coming back to this (thanks for your patience!), I see that @UsamaSadiq has made progress in moving the repo health dashboard collection job to GitHub Actions: edx/edx-arch-experiments#66

Given that GitHub Actions running from openedx repositories all have a $GITHUB_TOKEN available, which grants write access to that repository, I imagine that a new bot user is not needed. If I'm understanding correctly, then, all you folks need is an write access token to a spreadsheet in the Axim organization as a destination for the data.

Does that sound right? Am I missing anything?

[rgraber]

From my perspective I just need to make sure the GITHUB_TOKEN can also access dependabot alerts.

[kdmccormick]

Yes, the GITHUB_TOKEN should grant access to dependabot alerts, unless any repository admins have explicitly changed this setting to "Read repository contents and package permissions":

If that is the case (which would surprise me), then let me know, and we can reach out to those repos' maintainers and explain that we are changing the setting to "Read and write", unless they have any specific objections.

[rgraber]

Ok. I think we should be able to find out if we don't have access.

[kdmccormick]

I created and shared this blank Google sheet, but I'm not sure what the best way is to create a Sheets API key for you folks to put into the repo health jobs.

I figure that you all have an idea how you'd like to connect to Google Sheets since you've done it before. So, if and when you want this data to be pushed into an Axim-owned spreadsheet, just open a new Axim request with instructions for us on how to create an API key for the repo health job. Alternatively, if you folks would like to own the output sheet, that works too.

[ohnickmoy]

@rgraber, do you wanna discuss the sheet logistics sometime in the future?