Hi, I'm working around a secure implementation of the workflow described here (Helm promotion), and I realized a few problems with the githubdispatch Provider:
- Right now it can only authenticate using Personal Access Tokens. For an enterprise that kind of token is bad because it's tied to a single user account, making it hard to manage, and also because it's a static/long-lived credential.
- The better alternative that solves the user-tied token problem for
githubdispatch (but not the static/long-lived credential problem), a GitHub App Installation, requires the permission Contents read&write to be granted to the GitHub App for triggering a repository_dispatch. This permission is super powerful, it grants access to many destructive actions in the repository via the GitHub API.
A better solution for my specific case would be publishing events to Google Cloud Pub/Sub and consuming them in an internal Jenkins instance with a simple SSH deploy key for pushing to non-protected branches, which is a lot less powerful than the aforementioned GitHub App Installation credential. With Google Cloud Pub/Sub I'd also be able to use Workload Identity for authenticating notification-controller for dispatching the Helm events, which solves the static credential problem.
I'd like to contribute this feature!
Hi, I'm working around a secure implementation of the workflow described here (Helm promotion), and I realized a few problems with the
githubdispatchProvider:githubdispatch(but not the static/long-lived credential problem), a GitHub App Installation, requires the permissionContents read&writeto be granted to the GitHub App for triggering arepository_dispatch. This permission is super powerful, it grants access to many destructive actions in the repository via the GitHub API.A better solution for my specific case would be publishing events to Google Cloud Pub/Sub and consuming them in an internal Jenkins instance with a simple SSH deploy key for pushing to non-protected branches, which is a lot less powerful than the aforementioned GitHub App Installation credential. With Google Cloud Pub/Sub I'd also be able to use Workload Identity for authenticating notification-controller for dispatching the Helm events, which solves the static credential problem.
I'd like to contribute this feature!