Skip to main content

GitHub Operations

The following document contains information on various GitHub integration procedures.

Configuring Github App

Sometimes, we need to give one repository CI/CD access to another repository. However, if the target repository is private, the CI/CD pipeline will not have access to it, even if we try to use the GITHUB_TOKEN in the CI/CD steps.

To overcome this limitation, we need to explicitly configure the access. One way to achieve this is by using a GitHub App.

  1. Go to the organization settings
  2. Create new app by clicking "New Github App"
  3. Fill the name and Homepage URL (can be https://github.com/archipelo)
  4. Unselect "Webhook" checkbox
  5. Expand "Repository permissions" and change "Contents" permission to "read-only"
  6. Click Generate private key and download the file. Copy full content of the file to clipboard (all text including header and footer).
  7. Go to https://github.com/organizations/archipelo/settings/apps/<NAME OF THE APP>/installations
  8. Click install button and choose either All repositories or only select subset of repos
  9. Go to https://github.com/Archipelo/top/settings/secrets/actions
  10. Click "New repository secret"
  11. Add secret name (e.g. APP_KEY)
  12. Paste the key taken from point 6 and click "Add secret"

Adding Deployment to New Repository

Access to GCP project from GitHub is controled by using federated identities via the Workload Identity Federation.

In order to add new GitHub repository, so that it can access resources in GCP, such as Docker repository and deploy the artifacts the repository must be added to the workload identity pool.

In order to add a new repository the following command should be issued:

gcloud iam service-accounts add-iam-policy-binding \
    "IDENTITY_ACCOUNT" \
    --role="roles/iam.workloadIdentityUser" \
    --member="principalSet://iam.googleapis.com/projects/PROJECT_ID/locations/global/workloadIdentityPools/IDENTITY_POOL/attribute.repository/Archipelo/REPOSITORY_NAME"

The IDENTITY_ACCOUNT is one of the following values:

  • dev - github-deployment-dev@archipelo-dev.iam.gserviceaccount.com
  • qa - github-deployment-qa@archipelo-qa.iam.gserviceaccount.com

The PROJECT_ID is one of the following values:

  • dev - 709267376921
  • qa - 512550308738

The IDENTITY_POOL is one of the following values:

  • dev - github-pool-dev-5ac96a00
  • qa - github-pool-qa-07c5eba2

The REPOSITORY_NAME is the new repository name we would like to add.