refactor: rename github integration app configs for clarity

comses · Oct 18, 2024 · a812066 · a812066
1 parent 1b64c51
commit a812066
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 22 deletions.
diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ SECRETS_DIR=${BUILD_DIR}/secrets
 DB_PASSWORD_PATH=${SECRETS_DIR}/db_password
 PGPASS_PATH=${SECRETS_DIR}/.pgpass
 SECRET_KEY_PATH=${SECRETS_DIR}/django_secret_key
-EXT_SECRETS=hcaptcha_secret github_client_secret orcid_client_secret discourse_api_key discourse_sso_secret mail_api_key github_app_private_key github_app_client_secret
+EXT_SECRETS=hcaptcha_secret github_client_secret orcid_client_secret discourse_api_key discourse_sso_secret mail_api_key github_integration_app_private_key github_integration_app_client_secret
 GENERATED_SECRETS=$(DB_PASSWORD_PATH) $(PGPASS_PATH) $(SECRET_KEY_PATH)
 
 ENVREPLACE := deploy/scripts/envreplace

diff --git a/base.yml b/base.yml
@@ -66,8 +66,8 @@ services:
       - django_secret_key
       - github_client_secret
       - orcid_client_secret
-      - github_app_private_key
-      - github_app_client_secret
+      - github_integration_app_private_key
+      - github_integration_app_client_secret
       - hcaptcha_secret
       - mail_api_key
     volumes:
@@ -97,10 +97,10 @@ secrets:
     file: ./build/secrets/django_secret_key
   github_client_secret:
     file: ./build/secrets/github_client_secret
-  github_app_private_key:
-    file: ./build/secrets/github_app_private_key
-  github_app_client_secret:
-    file: ./build/secrets/github_app_client_secret
+  github_integration_app_private_key:
+    file: ./build/secrets/github_integration_app_private_key
+  github_integration_app_client_secret:
+    file: ./build/secrets/github_integration_app_client_secret
   hcaptcha_secret:
     file: ./build/secrets/hcaptcha_secret
   mail_api_key:

diff --git a/deploy/conf/.env.template b/deploy/conf/.env.template
@@ -37,11 +37,11 @@ SENTRY_DSN=
 GITHUB_CLIENT_ID=
 ORCID_CLIENT_ID=
 
-# github app
-GITHUB_APP_ID=
-GITHUB_APP_INSTALLATION_ID=
+# github integration app
+GITHUB_INTEGRATION_APP_ID=
+GITHUB_INTEGRATION_APP_INSTALLATION_ID=
+GITHUB_INTEGRATION_APP_CLIENT_ID=
 GITHUB_MODEL_LIBRARY_ORG_NAME=
-GITHUB_APP_CLIENT_ID=
 
 # test
 TEST_USER_ID=10000000

diff --git a/django/core/settings/defaults.py b/django/core/settings/defaults.py
@@ -510,12 +510,18 @@ def is_test(self):
 GITHUB_CLIENT_ID = os.getenv("GITHUB_CLIENT_ID", "")
 GITHUB_CLIENT_SECRET = read_secret("github_client_secret")
 
-GITHUB_APP_ID = int(os.getenv("GITHUB_APP_ID") or 0)
-# FIXME: should the main socialauth app be the same as the mirroring app?
-GITHUB_APP_CLIENT_ID = os.getenv("GITHUB_APP_ID", "")
-GITHUB_APP_CLIENT_SECRET = read_secret("github_app_client_secret")
-GITHUB_APP_PRIVATE_KEY = read_secret("github_app_private_key")
-GITHUB_APP_INSTALLATION_ID = int(os.getenv("GITHUB_APP_INSTALLATION_ID") or 0)
+GITHUB_INTEGRATION_APP_ID = int(os.getenv("GITHUB_INTEGRATION_APP_ID") or 0)
+GITHUB_INTEGRATION_APP_PRIVATE_KEY = read_secret("github_integration_app_private_key")
+GITHUB_INTEGRATION_APP_INSTALLATION_ID = int(
+    os.getenv("GITHUB_INTEGRATION_APP_INSTALLATION_ID") or 0
+)
+# client id and secret are only used for getting user access tokens to be able to push
+# to the user's repositories. We are not re-using the regular oauth app in order to
+# keep minimal permissions
+GITHUB_INTEGRATION_APP_CLIENT_ID = os.getenv("GITHUB_INTEGRATION_APP_ID", "")
+GITHUB_INTEGRATION_APP_CLIENT_SECRET = read_secret(
+    "github_integration_app_client_secret"
+)
 GITHUB_MODEL_LIBRARY_ORG_NAME = os.getenv("GITHUB_MODEL_LIBRARY_ORG_NAME", "")
 
 TEST_BASIC_AUTH_PASSWORD = os.getenv("TEST_BASIC_AUTH_PASSWORD", "test password")

diff --git a/django/library/github.py b/django/library/github.py
@@ -132,12 +132,12 @@ def refresh_installation_access_token():
         and cache it for future use
         """
         auth = Auth.AppAuth(
-            settings.GITHUB_APP_ID,
-            settings.GITHUB_APP_PRIVATE_KEY,
+            settings.GITHUB_INTEGRATION_APP_ID,
+            settings.GITHUB_INTEGRATION_APP_PRIVATE_KEY,
         )
         integration = GithubIntegration(auth=auth)
         installation_auth = integration.get_access_token(
-            settings.GITHUB_APP_INSTALLATION_ID
+            settings.GITHUB_INTEGRATION_APP_INSTALLATION_ID
         )
         token = installation_auth.token
         seconds_until_expiration = (
@@ -161,8 +161,8 @@ def get_user_access_token(code: str):
         """
         github = Github()
         app = github.get_oauth_application(
-            settings.GITHUB_APP_CLIENT_ID,
-            settings.GITHUB_APP_CLIENT_SECRET,
+            settings.GITHUB_INTEGRATION_APP_CLIENT_ID,
+            settings.GITHUB_INTEGRATION_APP_CLIENT_SECRET,
         )
         return app.get_access_token(code).token