[GH Request] Investigate permissions of Github token being used to fetch data from the openedx org

[ohnickmoy]

Firm Name

2U (edx)

Urgency

Low (2 weeks)

Problem/Request

A follow up from #738

After the initial work from Axim and Arch Bom, Jeremy proposed follow up work here: #530 (comment)

I'm told that Arbi-BOM also plans to reach out to help investigate. This is just me getting the ball rolling for them since this intersects with my work on SWG.

Based on github docs, since these are public repos, confirm that the token used for the job has public_repo scope

https://docs.github.com/en/free-pro-team@latest/rest/dependabot/alerts?apiVersion=2022-11-28#list-dependabot-alerts-for-a-repository

You must use an access token with the security_events scope to use this endpoint with private repositories. You can also use tokens with the public_repo scope for public repositories only.

Reasoning

We're trying to get dependabot alert data onto the repo health data for open edx repos.

[openedx-workflow-automation]

Thank you for your report! @openedx/axim-oncall will triage within a business day. Simple requests usually take 2-3 business days to resolve; more complex requests could take longer.

[ohnickmoy]

@jmbowman

[e0d]

Will move to blocked until Arib-BOM chimes in with further details.

[iamsobanjaved]

During the investigation of why the dependabot_alerts checks have inconsistent data, found that data related to dependabot_alerts for all openedx repos is missing. On further digging, found out that the token has limited access to fetch that data from openedx repos. Getting the following error for all openedx repositories.

ERROR repo_health.check_dependabot_alerts:check_dependabot_alerts.py:28 An error occurred while fetching bok-choy. status code 403 content info b'***"message":"You are not authorized to perform this operation.","documentation_url":"https://docs.github.com/rest/dependabot/alerts#list-dependabot-alerts-for-a-repository"***'.

[e0d]

There's more here than simply updating permissions. If I understand correctly, you are trying to connect from a workflow that is running in the edx GitHub organization to an endpoint providing data about repositories in the openedx GitHub organization.

If I understand correctly, we'll need to take an expanded approach. Please confirm that I've understood correctly.

[jmbowman]

Coming from the same conversation with Ed about this: In #738 (comment) Kyle mentioned that the permissions should be correct for the GITHUB_TOKEN provided to workflows running in the openedx org, but we're using the one in the edx org. We may need to update the permissions on the edx org token. A fallback would be to run 2 different workflows (one from an openedx repo and one from an edx repo), but I suspect that will just shift where we start hitting problems with permissions and secret management (from collecting the data to storing it).

[e0d]

I was thinking of something similar to what you suggest @jmbowman . I think that running the workflow on the openedx side and giving your script access to the repository where the data output is stored would align with GH permissions models quite cleanly. It also has the added advantage of making the openedx data available in a consistent format to other community members.

[e0d]

Given there's been no follow up here, I'm going to close. Please reopen if there's more to do.