📅 4/29 @ 1pm PT - GitHub Enterprise repository auditing with @jeffwilcox

[gr2m]

💁🏻 GitHub Enterprise repository auditing
📅 Thursday, April 29, 2021
🕐 1pm Pacific Time (in your timezone)
🎙️ with @jeffwilcox
🏷️ Enterprise, REST, Action

---

Subscribe to this issues to get a notification before the show begins and a summary after the show concludes.

GitHub Enterprise repository auditing

Jeff suggested that topic on Twitter.

The goal is to create a daily audit file with all teams that have the triage or maintain permission in any repository for a given GitHub organization. Bonus: add individual contributors to the audit.

Recommended before the show

• Watch 📅 4/26 @ 5pm PT - Create a cowsay GitHub Action with JavaScript #4 to learn how to create a GitHub Action with JavaScript from scratch. We will start out the show with a ready-to-use GitHub Action and build from there.

Outline

1. Preparations
   1. Make the the prepared repository of the new action public and show its functionality
   2. Register a new GitHub App on @opencontoso (link with configuration presets)
   3. Add the app's credentials as repository secrets to the new repository
   4. In the action, authenticate as the app and its name
2. Create the action
   1. Iterate through all @opencontoso repositories
   2. In each repository, iterate through all teams that have access
   3. Accumulate all repositories with their teams access permissions and set it as repositories action step output
   4. Update the test workflow in the repository
   5. Publish a new version of the action as v2
3. Use the action
   1. Create a new audit repository in @opencontoso
   2. Create an audit.yml GitHub Action workflow in that repository, with a repository_dispatch and a schedule trigger
   3. Use the new action, log out the output
   4. Instead of logging the output, write it as a line to an audit.ndjson.log file in the repository
4. Bonus
   • Add a timestamp to the log output
   • Iterate through all collaborators that were added directly

Preparation

• figure out how to host a stream that includes a guest calling in via video 🤣
• Prepare a dummy organization with several teams, repositories, and respective permissions for development and testing: @opencontoso
• Create a repository for the action based on https://github.com/gr2m/hello-world-js-action (created at https://github.com/gr2m/github-organization-repository-auditing-action)

[gr2m]

Prepare a dummy organization with several teams, repositories, and respective permissions for development and testing

@jeffwilcox can you prepare such an organization for the show? Or let me know what we need and I'll set it up

[gr2m]

figure out how to host a stream that includes a guest calling in via video

I've ended up using Streamyard which invites a guest to join a recording/broadcast directly through the browser.

Prepare a dummy organization with several teams, repositories, and respective permissions for development and testing

We created @opencontoso and will likely make some more changes before the show on Thursday

[gr2m]

Aaand that's a wrap, here is the recording on twitch: https://www.twitch.tv/videos/1005319644

[gr2m]

Show notes:

• The GitHub Action we built during the show: https://github.com/gr2m/github-organization-repository-auditing-action#readme. It's also on Marketplace: https://github.com/marketplace/actions/organization-repository-audit
• The octokit package: https://github.com/octokit/octokit.js. We use the App constructor in the show
• We mentioned Probot - the GitHub App framework: https://probot.github.io/
• What is Contoso? https://www.quora.com/Why-does-Microsoft-use-Contoso-as-a-fictional-company-everywhere-and-how-did-they-come-up-with-the-name
• Question about the triage and maintain keys in the "List Collaborators" endpoint https://github.community/t/list-repository-collaborators-with-triage-and-maintain-permissions/177306
• Issue on GitHub's OpenAPI specification repository about the missing permissions key in the "List Teams" endpoint: [Schema Inaccuracy] GET /repos/{owner}/{repo}/teams response includes "permissions" key github/rest-api-description#289
• Next show: GitHub Action Artifacts with @reconbot on Monday, May 3rd, at noon PT

[gr2m]

The show is now archived on YouTube: https://youtu.be/EqBMPLrouh8.

Feel free to ask more questions in this thread!