Merge remote-tracking branch 'upstream/main' into 3151-merge-idp

mindersec · Apr 26, 2024 · 69f94dd · 69f94dd
2 parents 0969fb1 + 7c6d8f4
commit 69f94dd
Show file tree

Hide file tree

Showing 43 changed files with 1,180 additions and 483 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -48,7 +48,7 @@ jobs:
           go-version-file: ./go.mod
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3
+        uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
         # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        uses: github/codeql-action/autobuild@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3
+        uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
@@ -71,6 +71,6 @@ jobs:
       #     echo "Run, Build Application using script"
       #     ./location_of_script_within_repo/buildscript.sh
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3
+        uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/update-docs-cli.yml b/.github/workflows/update-docs-cli.yml
@@ -31,7 +31,7 @@ jobs:
           echo "commit_date=$COMMIT_DATE" >> $GITHUB_OUTPUT
           echo "commit_author=$COMMIT_AUTHOR" >> $GITHUB_OUTPUT
       - name: Commit and push changes
-        uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
         with:
           commit-message: Update documentation
           committer: GitHub <noreply@github.com>

diff --git a/.github/workflows/update-docs-dbschema.yml b/.github/workflows/update-docs-dbschema.yml
@@ -27,7 +27,7 @@ jobs:
           echo "commit_date=$COMMIT_DATE" >> $GITHUB_OUTPUT
           echo "commit_author=$COMMIT_AUTHOR" >> $GITHUB_OUTPUT
       - name: Commit and push changes
-        uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
         with:
           commit-message: Update DB schema
           committer: GitHub <noreply@github.com>

diff --git a/.github/workflows/update-docs-helm.yml b/.github/workflows/update-docs-helm.yml
@@ -39,7 +39,7 @@ jobs:
           echo "commit_date=$COMMIT_DATE" >> $GITHUB_OUTPUT
           echo "commit_author=$COMMIT_AUTHOR" >> $GITHUB_OUTPUT
       - name: Commit and push changes
-        uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83 # v6.0.4
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
         with:
           commit-message: Update helm documentation
           committer: GitHub <noreply@github.com>

diff --git a/cmd/server/app/serve.go b/cmd/server/app/serve.go
@@ -80,7 +80,10 @@ var serveCmd = &cobra.Command{
 		// webhook config validation
 		webhookURL := cfg.WebhookConfig.ExternalWebhookURL
 		webhookping := cfg.WebhookConfig.ExternalPingURL
-		webhooksecret := cfg.WebhookConfig.WebhookSecret
+		webhooksecret, err := cfg.WebhookConfig.GetWebhookSecret()
+		if err != nil {
+			return fmt.Errorf("failed to get webhook secret: %w", err)
+		}
 		if webhookURL == "" || webhookping == "" || webhooksecret == "" {
 			return fmt.Errorf("webhook configuration is not set")
 		}

diff --git a/cmd/server/app/webhook_update.go b/cmd/server/app/webhook_update.go
@@ -119,8 +119,15 @@ func runCmdWebhookUpdate(cmd *cobra.Command, _ []string) error {
 			ghCli, err := pb.GetGitHub()
 			if err != nil {
 				zerolog.Ctx(ctx).Err(err).Msg("cannot get github client")
+				continue
 			}
-			updateErr = updateGithubWebhooks(ctx, ghCli, store, provider, webhookUrl.Host, cfg.WebhookConfig.WebhookSecret)
+
+			whSecret, err := cfg.WebhookConfig.GetWebhookSecret()
+			if err != nil {
+				zerolog.Ctx(ctx).Err(err).Msg("cannot get webhook secret")
+				continue
+			}
+			updateErr = updateGithubWebhooks(ctx, ghCli, store, provider, webhookUrl.Host, whSecret)
 		} else {
 			updateErr = fmt.Errorf("provider type %s not supported", providerName)
 		}

diff --git a/database/mock/store.go b/database/mock/store.go
diff --git a/database/query/providers.sql b/database/query/providers.sql
@@ -20,6 +20,9 @@ LIMIT 1;
 -- name: GetProviderByID :one
 SELECT * FROM providers WHERE id = $1;
 
+-- name: GetProviderByIDAndProject :one
+SELECT * FROM providers WHERE id = $1 AND project_id = $2;
+
 -- FindProviders allows us to take a trait and filter
 -- providers by it. It also optionally takes a name, in case we want to
 -- filter by name as well.

diff --git a/docs/package.json b/docs/package.json
@@ -22,7 +22,7 @@
     "docusaurus-protobuffet": "^0.3.3",
     "mobx": "^6.12.3",
     "prism-react-renderer": "^1.3.5",
-    "react": "^18.0.0",
+    "react": "^18.3.0",
     "react-dom": "^18.0.0",
     "redocusaurus": "^2.0.2",
     "styled-components": "^6.1.8"

diff --git a/docs/yarn.lock b/docs/yarn.lock
@@ -7989,10 +7989,10 @@ react-tabs@^4.3.0:
     clsx "^1.1.0"
     prop-types "^15.5.0"
 
-react@^18.0.0:
-  version "18.2.0"
-  resolved "https://registry.yarnpkg.com/react/-/react-18.2.0.tgz#555bd98592883255fa00de14f1151a917b5d77d5"
-  integrity sha512-/3IjMdb2L9QbBdWiW5e3P2/npwMBaU9mHCSCUzNln0ZCYbcfTsGbTJrU/kGemdH2IWmB2ioZ+zkxtmq6g09fGQ==
+react@^18.3.0:
+  version "18.3.0"
+  resolved "https://registry.yarnpkg.com/react/-/react-18.3.0.tgz#84386d0a36fdf5ef50fa5755b7812bdfb76194a5"
+  integrity sha512-RPutkJftSAldDibyrjuku7q11d3oy6wKOyPe5K1HA/HwwrXcEqBdHsLypkC2FFYjP7bPUa6gbzSBhw4sY2JcDg==
   dependencies:
     loose-envify "^1.1.0"
 

diff --git a/go.mod b/go.mod
@@ -57,13 +57,13 @@ require (
 	github.com/styrainc/regal v0.21.0
 	github.com/thomaspoignant/go-feature-flag v1.26.0
 	github.com/xeipuuv/gojsonschema v1.2.0
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.50.0
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0
 	go.opentelemetry.io/otel v1.26.0
-	go.opentelemetry.io/otel/exporters/prometheus v0.47.0
-	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.25.0
-	go.opentelemetry.io/otel/sdk v1.25.0
-	go.opentelemetry.io/otel/sdk/metric v1.25.0
+	go.opentelemetry.io/otel/exporters/prometheus v0.48.0
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0
+	go.opentelemetry.io/otel/sdk v1.26.0
+	go.opentelemetry.io/otel/sdk/metric v1.26.0
 	go.opentelemetry.io/otel/trace v1.26.0
 	go.uber.org/mock v0.4.0
 	golang.org/x/crypto v0.22.0

diff --git a/go.sum b/go.sum
@@ -1006,8 +1006,8 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.50.0 h1:zvpPXY7RfYAGSdYQLjp6zxdJNSYD/+FFoCTQN9IPxBs=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.50.0/go.mod h1:BMn8NB1vsxTljvuorms2hyOs8IBuuBEq0pl7ltOfy30=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0 h1:A3SayB3rNyt+1S6qpI9mHPkeHTZbD7XILEqWnYZb2l0=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0/go.mod h1:27iA5uvhuRNmalO+iEUdVn5ZMj2qy10Mm+XRIpRmyuU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc=
 go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs=
@@ -1018,16 +1018,16 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0 h1:Mw5xc
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0/go.mod h1:CQNu9bj7o7mC6U7+CA/schKEYakYXWr79ucDHTMGhCM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0 h1:Mbi5PKN7u322woPa85d7ebZ+SOvEoPvoiBu+ryHWgfA=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0/go.mod h1:e7ciERRhZaOZXVjx5MiL8TK5+Xv7G5Gv5PA2ZDEJdL8=
-go.opentelemetry.io/otel/exporters/prometheus v0.47.0 h1:OL6yk1Z/pEGdDnrBbxSsH+t4FY1zXfBRGd7bjwhlMLU=
-go.opentelemetry.io/otel/exporters/prometheus v0.47.0/go.mod h1:xF3N4OSICZDVbbYZydz9MHFro1RjmkPUKEvar2utG+Q=
-go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.25.0 h1:0vZZdECYzhTt9MKQZ5qQ0V+J3MFu4MQaQ3COfugF+FQ=
-go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.25.0/go.mod h1:e7iXx3HjaSSBXfy9ykVUlupS2Vp7LBIBuT21ousM2Hk=
+go.opentelemetry.io/otel/exporters/prometheus v0.48.0 h1:sBQe3VNGUjY9IKWQC6z2lNqa5iGbDSxhs60ABwK4y0s=
+go.opentelemetry.io/otel/exporters/prometheus v0.48.0/go.mod h1:DtrbMzoZWwQHyrQmCfLam5DZbnmorsGbOtTbYHycU5o=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0 h1:0W5o9SzoR15ocYHEQfvfipzcNog1lBxOLfnex91Hk6s=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0/go.mod h1:zVZ8nz+VSggWmnh6tTsJqXQ7rU4xLwRtna1M4x5jq58=
 go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30=
 go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4=
-go.opentelemetry.io/otel/sdk v1.25.0 h1:PDryEJPC8YJZQSyLY5eqLeafHtG+X7FWnf3aXMtxbqo=
-go.opentelemetry.io/otel/sdk v1.25.0/go.mod h1:oFgzCM2zdsxKzz6zwpTZYLLQsFwc+K0daArPdIhuxkw=
-go.opentelemetry.io/otel/sdk/metric v1.25.0 h1:7CiHOy08LbrxMAp4vWpbiPcklunUshVpAvGBrdDRlGw=
-go.opentelemetry.io/otel/sdk/metric v1.25.0/go.mod h1:LzwoKptdbBBdYfvtGCzGwk6GWMA3aUzBOwtQpR6Nz7o=
+go.opentelemetry.io/otel/sdk v1.26.0 h1:Y7bumHf5tAiDlRYFmGqetNcLaVUZmh4iYfmGxtmz7F8=
+go.opentelemetry.io/otel/sdk v1.26.0/go.mod h1:0p8MXpqLeJ0pzcszQQN4F0S5FVjBLgypeGSngLsmirs=
+go.opentelemetry.io/otel/sdk/metric v1.26.0 h1:cWSks5tfriHPdWFnl+qpX3P681aAYqlZHcAyHw5aU9Y=
+go.opentelemetry.io/otel/sdk/metric v1.26.0/go.mod h1:ClMFFknnThJCksebJwz7KIyEDHO+nTB6gK8obLy8RyE=
 go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA=
 go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0=
 go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=

diff --git a/internal/config/server/webhook.go b/internal/config/server/webhook.go
@@ -18,6 +18,7 @@ package server
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 )
 
@@ -29,6 +30,8 @@ type WebhookConfig struct {
 	ExternalPingURL string `mapstructure:"external_ping_url"`
 	// WebhookSecret is the secret that we will use to sign our webhook
 	WebhookSecret string `mapstructure:"webhook_secret"`
+	// WebhookSecretFile is the location of the file containing the webhook secret
+	WebhookSecretFile string `mapstructure:"webhook_secret_file"`
 	// PreviousWebhookSecretFile is a reference to a file that contains previous webhook secrets. This is used
 	// in case we are rotating secrets and the external service is still using the old secret. These will not
 	// be used when creating new webhooks.
@@ -47,3 +50,15 @@ func (wc *WebhookConfig) GetPreviousWebhookSecrets() ([]string, error) {
 	secrets := strings.Fields(string(data))
 	return secrets, nil
 }
+
+// GetWebhookSecret returns the GitHub App's webhook secret
+func (wc *WebhookConfig) GetWebhookSecret() (string, error) {
+	if wc.WebhookSecretFile != "" {
+		data, err := os.ReadFile(filepath.Clean(wc.WebhookSecretFile))
+		if err != nil {
+			return "", fmt.Errorf("failed to read GitHub App webhook secret from file: %w", err)
+		}
+		return string(data), nil
+	}
+	return wc.WebhookSecret, nil
+}
diff --git a/internal/controlplane/handlers_githubwebhooks.go b/internal/controlplane/handlers_githubwebhooks.go
@@ -351,7 +351,12 @@ func validatePayloadSignature(r *http.Request, wc *server.WebhookConfig) (payloa
 		return
 	}
 
-	payload, err = github.ValidatePayloadFromBody(contentType, br, signature, []byte(wc.WebhookSecret))
+	whSecret, err := wc.GetWebhookSecret()
+	if err != nil {
+		return
+	}
+
+	payload, err = github.ValidatePayloadFromBody(contentType, br, signature, []byte(whSecret))
 	if err == nil {
 		return
 	}
@@ -398,6 +403,7 @@ func validatePreviousSecrets(
 		}
 	}
 
+	err = fmt.Errorf("failed to validate payload with any fallback secret")
 	return
 }
 

diff --git a/internal/controlplane/handlers_githubwebhooks_test.go b/internal/controlplane/handlers_githubwebhooks_test.go
@@ -86,12 +86,18 @@ func (s *UnitTestSuite) TestHandleWebHookPing() {
 	t := s.T()
 	t.Parallel()
 
+	whSecretFile, err := os.CreateTemp("", "webhooksecret*")
+	require.NoError(t, err, "failed to create temporary file")
+	_, err = whSecretFile.WriteString("test")
+	require.NoError(t, err, "failed to write to temporary file")
+	defer os.Remove(whSecretFile.Name())
+
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 
 	mockStore := mockdb.NewMockStore(ctrl)
 	srv, evt := newDefaultServer(t, mockStore)
-	srv.cfg.WebhookConfig.WebhookSecret = "test"
+	srv.cfg.WebhookConfig.WebhookSecretFile = whSecretFile.Name()
 	defer evt.Close()
 
 	pq := testqueue.NewPassthroughQueue(t)
@@ -327,6 +333,23 @@ func (s *UnitTestSuite) TestHandleWebHookRepository() {
 	assert.Equal(t, repositoryID.String(), received.Metadata["repository_id"])
 
 	// TODO: assert payload is Repository protobuf
+
+	// test that if no secret matches we get back a 400
+	req, err = http.NewRequest("POST", fmt.Sprintf("http://%s", addr), bytes.NewBuffer(packageJson))
+	require.NoError(t, err, "failed to create request")
+	req.Header.Add("X-GitHub-Event", "meta")
+	req.Header.Add("X-GitHub-Delivery", "12345")
+	req.Header.Add("Content-Type", "application/json")
+	req.Header.Add("X-Hub-Signature-256", "sha256=ab22bd9a3712e444e110c8088011fd827143ed63ba8655f07e76ed1a0f05edd1")
+
+	_, err = prevCredsFile.Seek(0, 0)
+	require.NoError(t, err, "failed to seek to beginning of temporary file")
+	_, err = prevCredsFile.WriteString("lets-just-overwrite-what-is-here-with-a-bad-secret")
+	require.NoError(t, err, "failed to write to temporary file")
+
+	resp, err = httpDoWithRetry(client, req)
+	require.NoError(t, err, "failed to make request")
+	require.Equal(t, http.StatusBadRequest, resp.StatusCode, "unexpected status code")
 }
 
 // We should ignore events from packages from repositories that are not registered

diff --git a/internal/controlplane/handlers_projects.go b/internal/controlplane/handlers_projects.go
@@ -194,7 +194,7 @@ func (s *Server) DeleteProject(
 		Str("operation", "delete").
 		Str("project", projectID.String()).
 		Logger()
-	if err := projects.DeleteProject(ctx, projectID, qtx, s.authzClient, s.ghProviders, l); err != nil {
+	if err := projects.DeleteProject(ctx, projectID, qtx, s.authzClient, s.providerManager, l); err != nil {
 		return nil, status.Errorf(codes.Internal, "error deleting project: %v", err)
 	}
 

diff --git a/internal/controlplane/handlers_providers.go b/internal/controlplane/handlers_providers.go
@@ -32,7 +32,6 @@ import (
 	"github.com/stacklok/minder/internal/util"
 	cursorutil "github.com/stacklok/minder/internal/util/cursor"
 	minderv1 "github.com/stacklok/minder/pkg/api/protobuf/go/minder/v1"
-	provinfv1 "github.com/stacklok/minder/pkg/providers/v1"
 )
 
 // GetProvider gets a given provider available in a specific project.
@@ -171,16 +170,11 @@ func (s *Server) DeleteProvider(
 		return nil, status.Errorf(codes.InvalidArgument, "provider name is required")
 	}
 
-	provider, err := s.providerStore.GetByNameInSpecificProject(ctx, projectID, providerName)
+	err := s.providerManager.DeleteByName(ctx, providerName, projectID)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, util.UserVisibleError(codes.NotFound, "provider not found")
 		}
-		return nil, status.Errorf(codes.Internal, "error getting provider: %v", err)
-	}
-
-	err = s.deleteProvider(ctx, provider, projectID)
-	if err != nil {
 		return nil, status.Errorf(codes.Internal, "error deleting provider: %v", err)
 	}
 
@@ -202,16 +196,11 @@ func (s *Server) DeleteProviderByID(
 		return nil, util.UserVisibleError(codes.InvalidArgument, "invalid provider ID")
 	}
 
-	provider, err := s.providerStore.GetByID(ctx, parsedProviderID)
+	err = s.providerManager.DeleteByID(ctx, parsedProviderID, projectID)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, util.UserVisibleError(codes.NotFound, "provider not found")
 		}
-		return nil, status.Errorf(codes.Internal, "error getting provider: %v", err)
-	}
-
-	err = s.deleteProvider(ctx, provider, projectID)
-	if err != nil {
 		return nil, status.Errorf(codes.Internal, "error deleting provider: %v", err)
 	}
 
@@ -220,44 +209,6 @@ func (s *Server) DeleteProviderByID(
 	}, nil
 }
 
-func (s *Server) deleteProvider(ctx context.Context, provider *db.Provider, projectID uuid.UUID) error {
-	pbOpts := []providers.ProviderBuilderOption{
-		providers.WithProviderMetrics(s.provMt),
-		providers.WithRestClientCache(s.restClientCache),
-	}
-
-	p, err := providers.GetProviderBuilder(ctx, *provider, s.store, s.cryptoEngine, &s.cfg.Provider,
-		s.fallbackTokenClient, pbOpts...)
-	if err != nil {
-		return status.Errorf(codes.Internal, "cannot get provider builder: %v", err)
-	}
-
-	// If the provider is a GitHub provider with a valid credential, delete all repositories associated with the provider
-	if p.Implements(db.ProviderTypeGithub) &&
-		providers.GetCredentialStateForProvider(ctx, *provider, s.store, s.cryptoEngine, &s.cfg.Provider) ==
-			provinfv1.CredentialStateSet {
-		client, err := p.GetGitHub()
-		if err != nil {
-			return status.Errorf(codes.Internal, "error creating github provider: %v", err)
-		}
-
-		// Delete all repositories associated with the provider and remove the webhooks
-		err = s.repos.DeleteRepositoriesByProvider(ctx, client, provider.Name, projectID)
-		if err != nil {
-			// Don't fail the deletion if the repositories cannot be deleted or webhook cannot be removed
-			// The repositories will still be deleted by a cascade delete in the database
-			zerolog.Ctx(ctx).Error().Err(err).Str("projectID", projectID.String()).Msg("error deleting repositories")
-		}
-	}
-
-	// Delete the provider itself
-	err = s.ghProviders.DeleteProvider(ctx, provider)
-	if err != nil {
-		return status.Errorf(codes.Internal, "error deleting provider: %v", err)
-	}
-	return nil
-}
-
 func protobufProviderImplementsFromDB(ctx context.Context, p db.Provider) []minderv1.ProviderType {
 	impls := make([]minderv1.ProviderType, 0, len(p.Implements))
 	for _, i := range p.Implements {