Update kubernetes-client organization to allow Github Actions to create pull requests
#5126
Comments
|
/assign @kubernetes/owners |
|
Friendly ping on this one since it is blocking our ability to generate the 1.31 client. |
|
Also for kubernetes-sigs as well please! these actions used to work and don't any more |
|
cc @Priyankasaggu11929 @cblecker Friendly Friday ping on this. Thanks! |
|
Hey @brendandburns @dims ! I apologize that this response was delayed, and that this change disrupted existing workflows without appropriate notice. You are correct that when we migrated all the orgs into the enterprise, the enterprise-wide policies started taking effect. For other orgs, this setting had already been disabled, but it seems it wasn't on the @kubernetes-client org. The GitHub Admin Team, along with the SRC, has previously identified some issues with how GitHub Actions was being used in ways that created potential security concerns. As a result, one of the security harding measures that was implemented was disabling the ability for GitHub Actions to do certain write actions including creating PRs and approving code to merge. It seems that this setting wasn't ubiquitously applied across all orgs, and when we brought everything into the enterprise and it started to be enforced, broke a couple workflows including the one you describe above. At this time, we are not looking at reverting the change to the setting as it weakens the project's security posture. We would be happy to collaborate on alternatives, such as prow jobs, to enable this type of functionality without the use of GitHub Actions. |
|
@cblecker we currently use github actions to regenerate code from Kubernetes Swagger. What is the current approach that you suggest? I'm not sure this is something that prow really wants to take on (nor am I sure that is the right solution) And imho restricting this setting doesn't add any additional security, because I can just add my own |
|
I wanted to also clarify that these actions aren't run on PRs they are manually triggered and they can only be triggered by the repo owners, so I think that some of the security concerns don't apply. |
|
@cblecker friendly ping on this as it is blocking/making more difficult the generation of Kubernetes clients. |
|
fwiw, this is also blocking the ability to automatically send PRs back to the repository after we cut a release. @cblecker we really need to revisit this policy as it is blocking necessary automation. There's a lot of tasks for which prow is not the right solution. |
|
Actually, this is worse than that, it is actually blocking our ability to cut a release at all: https://github.com/kubernetes-client/java/actions/runs/11262193200/job/31317326994 Moving to a manual process for releasing this client is a bad, less secure, idea. Please advise about how you think we should do this. |
|
@cblecker @Priyankasaggu11929 @jasonbraganza Who is the right person to work with on this policy. It really restricts the utility of Github Actions, and it doesn't make sense to move to other CI/CD. |
|
Hello @brendandburns, extremely sorry for the silence. I don't have an answer just yet. But I'm acknowledging your above comments (on behalf of GitHub Admins). |
|
Hello @brendandburns, will the following approach help unblock the failing workflows? It was pointed out in another similar report of We've also reached out to GitHub staff with a new feature request to allow more granular management of GitHub Actions permissions at the repo/org level, in an GH enterprise setup (as of now, it is not possible). |
|
@Priyankasaggu11929 I will try that, but given that apparently the policy is blocking that permission: I would be surprised if it works (and honestly, if it does work, it's probably a security issue for GH) |
Yes, I agree using Regardless, we're discussing (within GH Admin group) auditing the use of
Quick update – GitHub has accepted the above request, and hopefully we'll have the feature/workaround by early next year Q1. cc: @mrbobbytables |
|
/reopen We have the same issue in kubernetes-sigs/controller-tools. @brendandburns Did kubernetes-client/java#3778 resolve your issue? (I think it didn't but the job logs are not availalbe anymore: https://github.com/kubernetes-client/java/actions/workflows/generate.yml) We already have the permission in our action in controller-tools (https://github.com/kubernetes-sigs/controller-tools/blob/main/.github/workflows/tools-releases.yml#L12C8-L12C16) and it's not enough in our case (https://github.com/kubernetes-sigs/controller-tools/actions/runs/12463704971). So overall sounds like we're waiting for the GH enterprise feature that potentially resolves this. |
|
@sbueringer: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Organization or Repo
kubernetes-client
User affected
all users
Describe the issue
I think in the move to GH enterprise, an organization permissions change occurred which is preventing our github actions in the
kubernetes-client/javarepository (and probably all other repositories) from sending PRs. In particular, this is blocking our ability to regenerate new code.The box in the repository settings to enable this for a github action is greyed out, and I believe this is because the organzational settings are restricted as described here:
https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization
Can we update the
kubernetes-clientorganization to allow github actions to send PRs?Thanks!
The text was updated successfully, but these errors were encountered: