Add ability to update scm project using github app

[TheRealHaoLiu]

SUMMARY

• Add github_app_id, github_app_installation_id and github_api_url to scm credential type
• Add ability to generate github app token to clone project with git for github

ISSUE TYPE

• New or Enhanced Feature

COMPONENT NAME

• API

AWX VERSION

ADDITIONAL INFORMATION

[sonarcloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[chrismeyersfsu]

This should be a different credential.

[webknjaz]

Are you trying to surface this into a UI field? This is usually discoverable automatically.

[TheRealHaoLiu]

automatic

[webknjaz]

So ideally, there should be no UI inputs at all. Log into https://pre-commit.ci or Codecov / RTD to see their UX for working with repos accessible through GH app installations.

Whenever the app is installed, you already get an event with all the information needed via webhooks.

[webknjaz]

Is this also surfaced to the end-users? Why? It should be a platform-global value, it's not directly a credential.

[webknjaz]

GH App should be global for the entire AWX. The whole idea is that the users don't need to set up and maintain multiple apps. They just need to click “Install” on GH UI.

[webknjaz]

This as well should be a deployment-global value rather than bound to a credential.

[AlanCoding]

On @chrismeyersfsu 's point, the intent was never for the Project.credential field to validate the literal "Source Control" credential type.

awx/awx/main/models/projects.py

Lines 163 to 164 in 79c1921

	elif cred.kind != 'scm':
	raise ValidationError(_("Credential kind must be 'scm'."))

Instead, it only wants the kind of the credential to be "scm", that, I believe (incorrectly) maps to the credential type namespace

awx/awx/main/models/credential/__init__.py

Lines 135 to 137 in 79c1921

	@property
	def kind(self):
	return self.credential_type.namespace

Again, I think that's wrong. When the Project.credential field is validated, I think it should require that the related credential_type.kind is "scm".

awx/awx/main/models/credential/__init__.py

Line 362 in 79c1921

kind = models.CharField(max_length=32, choices=KIND_CHOICES)

you can see the choices:

awx/awx/main/models/credential/__init__.py

Lines 347 to 360 in 79c1921

	KIND_CHOICES = (
	('ssh', _('Machine')),
	('vault', _('Vault')),
	('net', _('Network')),
	('scm', _('Source Control')),
	('cloud', _('Cloud')),
	('registry', _('Container Registry')),
	('token', _('Personal Access Token')),
	('insights', _('Insights')),
	('external', _('External')),
	('kubernetes', _('Kubernetes')),
	('galaxy', _('Galaxy/Automation Hub')),
	('cryptography', _('Cryptography')),
	)

This CredentialType "kind" designation is like an intended use of that credential type. So any "scm" kind of credential type should be acceptable for use in a project.

[webknjaz]

This should be discovered from the GitHub repository URL and querying https://docs.github.com/en/rest/apps/installations?apiVersion=2022-11-28#list-app-installations-accessible-to-the-user-access-token, and stored somewhere in the DB, not surfaced to the users.

[webknjaz]

Any chance not to use an unspecified exception?

[webknjaz]

If you invert it to !=, you can dedent a few lines of code.

[TheRealHaoLiu]

@webknjaz for this implementation we just want to scope this to specifically project update and also this will give the ability for people to have different github app for different projects if desired

[webknjaz]

also this will give the ability for people to have different github app for different projects if desired

That's kinda against the entire idea of GH Apps 🤷‍♂️