Adding a new GitHub CI app integration

Create a new GitHub app

  1. Click the New GitHub App button in the lsst-sqre org Developer Settings apps page.

  2. Name it mobu CI (env URL or id if the URL is too long).

  3. Make sure the Active checkbox is checked in the Webhook section.

  4. Enter https://env URL/mobu/github/ci/webhook in the Webhook URL input.

  5. Generate a strong password to use as the webhook secret.

  6. Store this in the SQuaRE vault in the LSST IT 1Password account in an Server item named mobu (env URL) in a password field named mobu-github-ci-app-webhook-secret.

  7. Get this into the Phalanx secret store for that env under the key: github-ci-app-webhook-secret (this process is different for different envs).

  8. Enter this secret in the Webhook secret (optional) box in the GitHub App config.

  9. Select Read and Write in the dropdown of the Checks access category in the Repository Permissions section.

  10. Select Read-only in the dropdown of the Contents access category in the Repository Permissions section.

  11. Check the Check suite and Check run checkboxes in the Subscribe to events section.

  12. Select the Any account radio button in the Where can this GitHub App be installed? section.

  13. Click the Create GitHub App button.

  14. Find the App ID (an integer) in the About section. Get this into the Phalanx secret store for that env under the key: github-ci-app-id (this process is different for different envs).

  15. Click the Generate a private key button in the Private keys section.

  16. Store this private key in the same mobu (env URL) item in a text key called github-mobu-ci-app-private-key.

  17. Get this into the Phalanx secret store for that env under the key: github-ci-app-private-key (this process is different for different envs).

Install the app for a repo

  1. Go to new app’s homepage (something like apps/mobu-refresh-usdfdev).

  2. Click the Install button.

  3. Select the Only select repositories radio button.

  4. Select the repo in the dropdown.

  5. Click Install.

Add Phalanx configuration

In applications/mobu/values-env.yaml, add a config.githubCiApp value:

config:
  githubCiApp:
    acceptedGithubOrgs:
      - lsst-sqre
    users:
      - username: "bot-mobu-ci-user-1"
        uidnumber: 123
        gidnumber: 456
      - username: "bot-mobu-ci-user-2"
        uidnumber: 789
        gidnumber: 876
    scopes:
      - "exec:notebook"
      - "exec:portal"
      - "read:image"
      - "read:tap"

All items are required.

acceptedGithubOrgs

A list of GitHub organizations from which this instance of Mobu will accept webhook requests. Webhook requests from any orgs not in this list will get a 403 response.

users

Follows the same rules as the users list in a flock autostart config. The usernames must all start with bot-mobu. In envs with Firestore integration, you only need to specify username. In envs without it, you need to ensure that users are manually provisioned, and then you need all three of username, uidnumber, and gidnumber.

scopes

A list of Gafaelfawr scopes to grant to the users running in the monkeys started from GitHub CI checks.