server, agent: GitHub app installation support for repository cloning #1165
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… the initRepo function two tests break and this string concat needs to be pulled out (or otherwise undone) to work.
…x the Github Trigger tests.
benbroadaway
changed the title
ibodrov
reviewed
Oct 15, 2025
| } | ||
|
|
||
| /** | ||
| * Refresh repositories by their IDs. |
There was a problem hiding this comment.
The comment doesn't match the method.
|
|
||
| @Value.Immutable | ||
| @Value.Style(jdkOnly = true, redactedMask = "**redacted**") | ||
| interface CacheKey { |
There was a problem hiding this comment.
Suggested change
| interface CacheKey { | |
| record CacheKey(URI repoUri, int weight) |
maybe? Calculate the weight when the key is created. Get rid of immutables and there won't be anything secret to print in the first place.
| @Value.Immutable | ||
| @Value.Style(jdkOnly = true) | ||
| @JsonDeserialize(as = ImmutableGitHubAppAuthConfig.class) | ||
| public interface GitHubAppAuthConfig extends MappingAuthConfig { |
There was a problem hiding this comment.
Can this be a record as well? Do the sanity check in the constructor?
benbroadaway
force-pushed
the
repo-uri-filter
branch
from
2c19b50 to
95340b7
Compare
|
Any chance to extract git.allowedSchemes into a separate PR? |
|
I’d even suggest splitting the server and agent parts into separate PRs... |
ibodrov
reviewed
Oct 30, 2025
|
|
||
| <sql> | ||
| insert into ROLE_PERMISSIONS values ( | ||
| (select ROLE_ID from ROLES where ROLE_NAME = 'concordAdmin'), |
There was a problem hiding this comment.
I think only agents are going to need this permission? If so then should we create an agent role?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Original intent: There's already mitigation in the UI, however this would not stop a nefarious actor who sends a POST request without the UI; this is intended to cover that case.
The need for GitHub app support for cloning usurps these mitigations, so this PR now builds off that idea and incorporating the GitHub app's auth, with additional design considerations for similar auth patterns for other services (e.g. a GitLab auth provider).
The sequence for cloning with auth from a GitHub app installation is:
sequenceDiagram participant concord-agent participant concord-server participant token-cache concord-server->>+token-cache: get token for repo token-cache-->>token-cache: cached installation token for repo token-cache-->>token-cache: validate token expiration token-cache-->>+GitHub: or Generate new token GitHub-->>-token-cache: new 1-hour installation client token token-cache->>-concord-server: installation token concord-server->>+concord-server: clone repo concord-server->>+concord-agent: dispatch workflow concord-agent->>+concord-server: lookup token concord-server->>+token-cache: retrieve token token-cache-->>token-cache: cached installation token for repo token-cache-->>token-cache: validate token expiration token-cache-->>+GitHub: or Generate new token GitHub-->>-token-cache: new 1-hour installation client token token-cache->>-concord-server: installation token concord-server->>+concord-agent: installation token concord-agent->>+concord-agent: clone repo concord-agent->>+concord-agent: start workflow runner