Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Enable GitHub Enterprise Server (GHES) support #2788

Closed
wants to merge 4 commits into from

Conversation

rajbos
Copy link

@rajbos rajbos commented Mar 24, 2023

What kind of change does this PR introduce?

Support GHES by using the Enterprise client for the GitHub calls.

What is the current behavior?

$ scorecard --repo github.corp.net/nv35/myrepo
unsupported host: github.corp.net

Which issue(s) this PR fixes

Special notes for your reviewer

There is one error that needs to be fixed, since this returns a non-zero exit code at the moment, hence the Draft status.

Error: check runtime error: Branch-Protection: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Field 'requireLastPushApproval' doesn't exist on type 'BranchProtectionRule'
2023/03/24 12:04:20 error during command execution: check runtime error: Branch-Protection: internal error: error during branchesHandler.setup: internal error: githubv4.Query: Field 'requireLastPushApproval' doesn't exist on type 'BranchProtectionRule'
exit status 1

I expect this is coming from our GHES instance (3.7) that does not support this field yet. If I remove the field requireLastPushApproval all checks run normally, so we might need to check the GHES version and include/exclude this field based on that.

Does this PR introduce a user-facing change?

Not for existing users, as it did not support GHES before. No changes needed by existing users.

Discussion

I am using os.Getenv("GITHUB_API_URL") to pick up the API url for the server, as this is where I'd expect this to run from an automation context. We could pick up the url from the scorecard --repo github.corp.net/nv35/myrepo command, but that means wiring up all the places from front to back to pick this up and pass it through and then update CreateGithubRepoClient calls everywhere.

 Support for GitHub Enterprise Server has been added.

@rajbos rajbos changed the title ✨ Enable GitHub Enterprise Server (GHES) support, closes #660 ✨ Enable GitHub Enterprise Server (GHES) support Mar 24, 2023
@github-actions
Copy link

github-actions bot commented Apr 4, 2023

Stale pull request message

@rajbos
Copy link
Author

rajbos commented Apr 4, 2023

I'm going to work on this again later this week. Not stale.

@azeemshaikh38
Copy link
Contributor

@raghavkaul could you help review this PR whenever its ready?

@raghavkaul
Copy link
Contributor

Yes, happy to review whenever this is ready.

Signed-off-by: GitHub <[email protected]>
Signed-off-by: GitHub <[email protected]>
@rajbos
Copy link
Author

rajbos commented Apr 13, 2023

Tested against GHES 3.8.1 today and it works: the field in the GraphQL search exists.

Two things left to discuss:

  1. I need some help with the failing unit test: I have no clue how this works in Go and why this is failing (I get that I changed the setup partially)
  2. Should this new change be reflected in the REAMDE (GHES is supported by looking at the GITHUB_API_URL variable. Is so: where? We can then note that this works from 3.8 and up.

@rajbos
Copy link
Author

rajbos commented Apr 13, 2023

Tagging @raghavkaul for visiblity.

Copy link
Member

@naveensrinivasan naveensrinivasan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@@ -126,7 +128,7 @@ func (client *Client) InitRepo(inputRepo clients.Repo, commitSHA string, commitD

// URI implements RepoClient.URI.
func (client *Client) URI() string {
return fmt.Sprintf("github.com/%s/%s", client.repourl.owner, client.repourl.repo)
return fmt.Sprintf("%s/%s/%s", client.repourl.host, client.repourl.owner, client.repourl.repo)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please write a test for this?

@@ -259,8 +261,33 @@ func CreateGithubRepoClientWithTransport(ctx context.Context, rt http.RoundTripp
httpClient := &http.Client{
Transport: rt,
}
client := github.NewClient(httpClient)
graphClient := githubv4.NewClient(httpClient)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please include tests for these?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@naveensrinivasan , can you give me some pointers / help on where to get started? (not a Go programmer, so testing in Go is new to me).

I see a generic setup for creating the clients during the tests here: clients/githubrepo/githubrepo_suite_test.go, and another generic mock here clients/mockclients/repo_client.go.

@github-actions
Copy link

github-actions bot commented May 1, 2023

Stale pull request message

@github-actions
Copy link

Stale pull request message

@rajbos
Copy link
Author

rajbos commented May 13, 2023

Still want to work on this Stale bot! Looking for the time to do so 😄

@github-actions
Copy link

github-actions bot commented Jun 3, 2023

Stale pull request message

@esnible
Copy link

esnible commented Jun 5, 2023

The error messages were not obvious to me:

go run main.go --repo https://github.ibm.com/<myorg>/<myproject>
2023/06/05 08:05:42 error during command execution: RunScorecard: repo unreachable: Get "/api/v3/repos/<myorg>/<myproject>": internal error: innerTransport.RoundTrip: internal error: innerTransport.RoundTrip: unsupported protocol scheme ""

Could this message remind people that you expect $GITHUB_API_URL, and the value it should have?

GITHUB_API_URL=https://api.github.ibm.com go run main.go --repo https://github.ibm.com/<myorg>/<myproject>
Error: RunScorecard: repo unreachable: GET https://api.github.ibm.com/repos/<myorg>/<myproject>: 401 Must authenticate to access this API. []

Could this message include the usual one GitHub token env var is not set. Please read https://github.com/ossf/scorecard#authentication error="an error occurred while getting GitHub credentials"

GITHUB_AUTH_TOKEN=<mytoken> GITHUB_API_URL=https://api.github.ibm.com go run main.go --repo https://github.ibm.com/<myorg>/<myproject>
Error: RunScorecard: internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: non-200 OK status code: 404 Not Found body: "{\"message\":\"Not Found\",\"documentation_url\":\"https://docs.github.com/[email protected]/rest\"}"

I gave up before solving this one. Does it want the enterprise URL instead of docs.github.com? How do I provide that?

@github-actions
Copy link

Stale pull request message

@rajbos
Copy link
Author

rajbos commented Jun 19, 2023

Missed the feedback from @esnible, will try to address that.

}
// trim trailing slash to prevent issues with the graphql client
githubSERVERURL = strings.TrimSuffix(githubSERVERURL, "/")
githubGRAPHQLURL := fmt.Sprintf("%s/api/graphql", githubSERVERURL)
Copy link

@esnible esnible Jun 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line didn't work for me. To run the scorecards, I used GITHUB_API_URL=https://api.github.ibm.com and changed this line to

githubGRAPHQLURL := fmt.Sprintf("%s/graphql", githubSERVERURL)

Using "%s/api/graphql" caused 404s, using /graphql allowed the scorecard to generate. I only have access to my own company's GHE, so I don't know if you should always use /graphql or if the path needs to be parameterized for different configurations.

@spencerschrock
Copy link
Member

spencerschrock commented Jun 21, 2023

FYI, #2999 was merged while this was marked stale.

Can we see if @esnible's feedback applies to what has already been merged? If not, can we re-purpose this PR (or close and open a new one) to fixing what's already been merged?

@esnible
Copy link

esnible commented Jun 21, 2023

Using the current HEAD I was able to GITHUB_AUTH_TOKEN=$GITHUB_ENTERPRISE_TOKEN GH_HOST=github.ibm.com go run main.go --repo https://github.ibm.com/<owner>/<project> --show-details --checks Vulnerabilities and it worked just fine.

I had incorrectly tried GH_HOST=api.github.ibm.com with HEAD, as that is the host I use when I make GraphQL queries, and that is the host that this PR expected, and I found the error message confusing. However, I was not confused enough to be stuck. The error message was:

error during command execution: GetClients: error making github repo: error in IsValid: unsupported host: github.ibm.com

That confused me because

  • I wasn't making a github repo
  • I was passing in a GH_HOST that I knew was supported
  • I thought the error message referred to $GH_HOST

In terms of functionality the code in HEAD is great.

@github-actions
Copy link

github-actions bot commented Jul 2, 2023

Stale pull request message

@rajbos
Copy link
Author

rajbos commented Jul 10, 2023

I've validated with v4.11.0 and it works against our internal GHES environment, so I am ready to close this issue. Thanks for adding the support!

@spencerschrock
Copy link
Member

I've validated with v4.11.0 and it works against our internal GHES environment, so I am ready to close this issue. Thanks for adding the support!

All the thanks goes to you and Niket!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support private git servers (like Github Enterprise instances)
6 participants