Skip to content

NAIS team app

GitHub App

NAIS team app

GitHub App

NAIS team app provides a way to push to remote repositories without personal access tokens.
This application has access to push to certain repositories through short lived tokens that are generated on demand.

The specific permissions the app requires are:

  • Read access to metadata
  • Read and write access to code

Installation

In order to authorize this application to write to a specific repository, a few things need to be sorted out.

  1. The application gets installed to the specific repository (repo A).
    • If the application is intended to write to a protected branch, the application must have permissions to bypass it (Settings -> Branches -> Branch protection rules)
  2. In repo B, the repository that wants to push to repo A, an application manager must provide the App ID and a private key as a Secret.

With this in place, a GitHub Action in repo B can generate an installation access token that is valid for pushing to repo A.

name: Push a useless file to my-org/repo-A
on: push
jobs:
  push-to-remote:
    steps:
      - uses: navikt/github-app-token-generator@v1
        id: get-token
        with:
          private-key: ${{ secrets.NAIS_APP_PRIVATE_KEY }} # Private key from NAIS team app
          app-id: ${{ secrets.NAIS_APP_ID }} # App ID from NAIS team app
          repo: my-org/repo-A # a repository that NAIS team app is installed on
      - uses: actions/checkout@v2
        with:
          repository: my-org/repo-A
          token: ${{ steps.get-token.outputs.token }} # installation access token from the previous step
          path: repo-A
      - name: Commit useless file in repo-A
        run: |
          cd repo-A
          git config user.name "$GITHUB_ACTOR" # act on behalf of the user who triggered this action
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
          touch useless-file
          git add .
          git  --no-pager diff --cached
          git commit --no-verify -a -m "Add useless-file"
          git push

Developer

NAIS team app is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

Report abuse