GitHub sync

[zacck]

Notes for the reviewer

Draft pr for github sync, still some clean up to do but so far working

Related issue

Fixes #970

Review checklist

• I have performed a self-review of my code
• I have verified that all appropriate authorization policies have been implemented and tested
• If needed, I have updated the changelog
• Product has QA'd this feature

[stuartc]

@zacck looking like this is taking shape, we're going to need a lot more tests though - especially in the GithubClient and token stuff...

[codecov]

Codecov Report

Patch coverage: 81.48% and project coverage change: -0.12% ⚠️

Comparison is base (f25f5a8) 85.90% compared to head (950ba9d) 85.78%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1007      +/-   ##
==========================================
- Coverage   85.90%   85.78%   -0.12%     
==========================================
  Files         179      184       +5     
  Lines        5071     5206     +135     
==========================================
+ Hits         4356     4466     +110     
- Misses        715      740      +25     

Files Changed	Coverage Δ
...ing_web/controllers/api/provisioning_controller.ex	66.66% <0.00%> (-26.67%)	⬇️
lib/lightning_web/live/project_live/settings.ex	85.38% <67.92%> (-12.02%)	⬇️
lib/lightning/version_control/github_client.ex	94.59% <94.59%> (ø)
lib/lightning/version_control/project_repo.ex	100.00% <100.00%> (ø)
lib/lightning/version_control/version_control.ex	100.00% <100.00%> (ø)
...ning_web/controllers/version_control_controller.ex	100.00% <100.00%> (ø)
...g_web/live/project_live/delete_connection_modal.ex	100.00% <100.00%> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[stuartc]

Ran out of time for today - will pick up the rest of this first thing in the AM, for now I've left a few comments around the config/env changes.

[stuartc]

Why is this here? Sentry is/was configured at the bottom of the file?

[zacck]

This is an error, didn't notice it before

[stuartc]

What is :noset? Why not default to nil? I don't see notset or noset used anywhere.

[zacck]

The intention was to leave a message for one to configure github, this can be achieved with nil as well will ammend

[stuartc]

Please change it to reflect the correct cert env variable.

If there is no default to set in the example then prepend the env vars with a hash.

I don't think there is any default we can provide for this.

[stuartc]

Please don't use System.put_env, instead of implicitly coupling this to runtime.exs - rather use config :lightning, :github_app, ... and then have runtime.exs override only if ENV vars are present...

config/3 overrides conflicting keys on subsequent calls, so we can call it as many times as we want..

[stuartc]

Hey @zacck!

Systems/Flow/Design

It looks like you can only have one redirect url after a Github app installation, this is currently set to localhost:4000. This will pose problems with staging and production, in addition to different developers testing this locally.

Not without having a separate GitHub app for staging, production and development.

Opening a new tab and using a broadcast to update the settings page was an approach that was discussed - I'm not sure why it wasn't the road we took.

From looking around the documentation it appears that you can use a state query parameter when requesting a new application installation, by using that we can have the same experience as Google Sheets. See here and here. Anyway, given the current implementation this isn't necessary.

The webhook url is set to app.openfn.org. Which is correct, for production.

1. We should be using the webhook secret facility for our webhooks and validate the payload (see here)
2. We need to create a Github app for staging, production and dev each either the appropriate URLs for webhooks etc.
3. The Github apps settings point at the app domain + /, when Github does a POST to this path it will get a 404.

• Are we using any of the Webhooks that Github sends?
• Can we/should we disable webhooks for the app?

Code/Tests

4. No tests for VersionControlController
5. VersionControlController has no error handling in the event an installation id doesn't exist.
6. No tests for jwt token generation [@stuartc done]
7. No tests for fetching/setting up a github connection/repo.
8. All GithubClient calls assume success, we need to ensure failures don't result in crashed LiveViews.

Features/UX

9. Show that Github integration is not available on a given installation [@stuartc done]
10. The 'Stop Syncing' feature outlined in the spec doesn't appear to be implemented

• We don't need this yet, because Syncing is manual, we do need to handle errors if the app is disconnected on the Github side.

11. No loading indicator when the app is fetching a list of repos, it's not in the spec but I think it's important to show we are waiting on a 3rd-party.
12. Modal for "Reinstall app"

I've made a bunch of small-ish changes, and rebase off main.

[zacck]

Hey @NickOpenFn @taylordowns2000 Here is how the click test looks at the moment

Screenshare.-.2023-08-17.9_52_08.AM.mp4

[stuartc]

I think we need some kind of :on_delete behaviour here... @taylordowns2000 your thoughts?

So right now if a project is about to be deleted (or the user) it won't be possible because of this outstanding relationship.

Do we manage this in the delete/purge logic or add a nillify or delete_all cascade option in the schema?

[zacck]

good catch, let me know and I'll add it in

[taylordowns2000]

@zacck , please add an on_delete cascade for when a project is deleted and an on_delete nillify for when a user is deleted.

in other words: if the user who set the thing up is deleted, the PRC will stay. if the project is deleted, the PRC will also be deleted.

thank you!

[stuartc]

diff --git a/test/lightning/version_control/github_client_test.exs b/test/lightning/version_control/github_client_test.exs
index 1b63a5df5..9aaddb969 100644
--- a/test/lightning/version_control/github_client_test.exs
+++ b/test/lightning/version_control/github_client_test.exs
@@ -19,6 +19,9 @@ defmodule Lightning.VersionControl.GithubClientTest do
           "https://github.com/gitapi/app/installations/some-id/access_tokens" ->
             %Tesla.Env{status: 200, body: %{"token" => "some-token"}}
 
+          "https://github.com/gitapi/app/installations/invalid/access_tokens" ->
+            %Tesla.Env{status: 401, body: %{"message" => "Bad credentials"}}
+
           "https://github.com/gitapi/installation/repositories" ->
             %Tesla.Env{
               status: 200,
@@ -44,6 +47,11 @@ defmodule Lightning.VersionControl.GithubClientTest do
     test "client can fetch repo branches" do
       p_repo = insert(:project_repo)
 
+      assert {:ok, ["master"]} =
+               VersionControl.fetch_repo_branches(p_repo.project_id, p_repo.repo)
+
+      p_repo = insert(:project_repo, github_installation_id: "invalid")
+
       assert {:ok, ["master"]} =
                VersionControl.fetch_repo_branches(p_repo.project_id, p_repo.repo)
     end

@zacck check this out, we spoke about this the other day - it's really easy to get a cryptic error when the installation has been removed on the other side (or a failure of any kind):

  1) test Github Client client can fetch repo branches (Lightning.VersionControl.GithubClientTest)
     test/lightning/version_control/github_client_test.exs:47
     ** (ArgumentError) construction of binary failed: segment 2 of type 'binary': expected a binary but got: nil
     code: VersionControl.fetch_repo_branches(p_repo.project_id, p_repo.repo)
     stacktrace:
       (lightning 0.7.3) lib/lightning/version_control/github_client.ex:76: Lightning.VersionControl.GithubClient.build_client/1
       (lightning 0.7.3) lib/lightning/version_control/github_client.ex:27: Lightning.VersionControl.GithubClient.get_repo_branches/2
       (lightning 0.7.3) lib/lightning/version_control/version_control.ex:78: Lightning.VersionControl.fetch_repo_branches/2
       test/lightning/version_control/github_client_test.exs:56: (test)

When I intentionally change test/lightning_web/live/project_live_test.exs:402 to return a 401, the tests still pass but I can see a bunch of exceptions from the async task.

We need to handle these known sad paths, at the very least to stop server errors, but probably getting some kind of feedback to the user that something went wrong.

[taylordowns2000]

hey @zacck , i spoke with Stu today and this is looking good. if you address his two points above (the on_delete stuff and this one) the recommendation would be to then merge this to main and iron out any additional changes/bugs/whatever once it's already deployed on demo.openfn.org (we do "edge" deployment, triggered by commits to the main branch.)

the hope is that this will be much easier to make the finishing touches on once it's running on a real server and we can see how it feels to hook up several projects to github.

sound good?