GSOC Manage jenkinsci GitHub permissions as code
This blog showcases all the work done in the Manage jenkinsci GitHub permissions as code project during Google Summer of Code 2024.
About the Project
This project aims to create a solution that allows the Repository Permission Updater (RPU) to manage jenkinsci GitHub permissions as code. RPU is a vital tool used by Jenkins to manage artifactory permissions, bridge discrepancies between Jira and GitHub issues, and enable automatic releases. Currently, RPU oversees over 2600 GitHub teams, with all team modifications handled manually by the hosting team. Automating these processes aims to significantly enhance productivity by reducing the manual workload.
In Jenkins, there is a strategy of using teams to manage permissions effectively. Teams are categorized into two types:
Repository Teams are directly linked to specific repositories. The names of these teams typically follow the format $repo_name + Developers and they automatically assume the admin role. The developers in these teams are managed within the "permissions" section.
Additional GitHub Teams, in contrast to repository teams, oversee multiple repositories without being attached to any particular one. The roles of these teams can vary, depending on the needs of the repositories they manage. The developers in these teams are organized within the "teams" section.
To enhance the management of these two distinct team types, it is necessary to modify the current YAML structure.
Changes to YAML structure:
Before:
permissions/*.yml
...
developers:
- "user1"
- "user2"
...teams/*.yml
---
name: "core"
developers:
- "user1"
- "user2"
...After:
permissions/*.yml
...
developers:
- ldap: "user1"
github: "user1"
- ldap: "user2"
github: "github_user2"
repository_team: "example-repo Developers"
additional_github_teams:
- name: "core_team"
role: "admin"
...teams/*.yml
---
name: "ux"
github_team_name: "sig-ux"
developers:
- ldap: "user1"
github: "user1"
- ldap: "user2"
github: "github_user2"
...Phase 2
After initial implementations, I engaged in discussions with the hosting team to address real-world challenges and adapt our project accordingly.
Next steps
The development of this project has followed a complex path, shaped by real-world challenges encountered in Phase 2 that diverged from our initial plans. As we progress, several improvements remain to be addressed to ensure that our solutions effectively meet real-world needs.
-
Due to potential discrepancies between LDAP and GitHub usernames, the YAML structure has been adjusted to include both.
-
Terraform will be integrated to bolster security and streamline management across GitHub workflows.
-
A one-off backfill process will be implemented to synchronize data from GitHub with YAML configurations before the initial deployment, ensuring consistency.
Summary
I am grateful for the opportunity to be a part of this project; without it, my amazing journey at Jenkins would not have been possible. Special thanks to my mentor Alexander Brandes for his support throughout the process. I also owe a lot to the org admins, particularly Alyssa Tong, who not only adjusted her schedule to overcome time zone differences but also provided invaluable guidance in project management, Kris Stern was always there to assist with development challenges, offering as much help as she could, and lastly, thanks to Bruno Verachten for his support.
About the author