This package provides the GitHub App integration for Kiwi TCMS Enterprise and is designed to work only for multi-tenant environments! You don't need this add-on in order to run Kiwi TCMS without extended GitHub integration!
Communication from GitHub to this plugin is via webhooks.
Plugin behavior:
- Auto-configure which tenant to use for database operations, either 'public' or a single private tenant to which user has access.
- If unable to auto-configure display warning and redirect to configuration page once the GitHub account who installed this integration onto their GitHub repository logs into Kiwi TCMS
- Existing & newly created repositories are added as products in Kiwi TCMS
- BugSystem records are automatically configured for repositories
- Fork repositories are skipped
- Newly created git tags are added as product versions in Kiwi TCMS
See Issues for other ideas!
pip install kiwitcms-github-app
inside Kiwi TCMS's docker image and make sure the following settings are configured:
AUTHENTICATION_BACKENDS = [
'social_core.backends.github.GithubAppAuth',
...
]
SOCIAL_AUTH_GITHUB_APP_KEY = 'xxxxxx'
SOCIAL_AUTH_GITHUB_APP_SECRET = 'yyy'
KIWI_GITHUB_APP_SECRET = b'your-webhook-secret'
KIWI_GITHUB_APP_ID = 123456
KIWI_GITHUB_APP_PRIVATE_KEY = """-----BEGIN RSA PRIVATE KEY-----
+++++++++base64-encoded-private-key+++++++
-----END RSA PRIVATE KEY-----"""
everything else will be taken care for by Kiwi TCMS plugin loading code!
This plugin needs an existing GitHub App application with the following configuration:
- User authorization callback URL: https://tcms.example.com/complete/github-app/
- Request user authorization (OAuth) during installation - True
- Webhook Active - True
- Webhook URL - https://tcms.example.com/kiwitcms_github_app/webhook/
- Webhook Secret - <the value of KIWI_GITHUB_APP_SECRET>
- SSL verification - Enabled
Then configure how the application interacts with GitHub:
- Repository permissions:
- Contents: Read-only
- Issues: Read & write (required for 1-click bug report on private repos)
- Metadata: Read-only
- User permissions:
- Email addresses: Read-only
- Subscribe to events:
- Meta
- Create
- Repository
- Refactor internal calls to PyGithub b/c of updated interface. Fixes Sentry KIWI-TCMS-V7
- Enable search for WebhookPayloadAdmin
- Start testing using upstream Postgres
- Filter DB only for 'github-app' instead of unconditionally using the first record. Fixes Sentry KIWI-TCMS-P5
- Relicense this package under GNU Affero General Public License v3 or later
- Prior versions are still licensed under GNU General Public License v3
- Pin indirect requirements to reduce the chance of installing vulnerable dependencies
- Remove the wrapper
GithubKiwiTCMSBot()class - Simplify
self.requesteroverride inPatchedGithub()class - Start using the new GitHub Auth parameters introduced in PyGithub==1.59.0
- 1-click bug report will now use
execution.build.version.productinstead ofexecution.run.plan.productfollowing changes in Kiwi TCMS, see: <https://github.com/kiwitcms/Kiwi/commit/48a33a71e664c8c3ed2ceb298b5f1e19d0bddb52>_ and PR #3439 for more details - Require minimum version of several transitive dependencies,
certifi>=2023.7.22,cryptography>=41.0.4,pyjwt>=2.4.0,requests>=2.31.0in order to minimize exposure to known security vulnerabilities - Build & test with Python 3.11
- Start testing with psycopg3
- Small updates around test jobs & CI
- Unpin PyGithub dependency
- Add more tests
- Refactor code so it works with PyGithub==1.58.0
- Remove PatchedGithubIntegration class
- Add sanity tests for upstream/downstream interfaces for PyGithub
- Adjust arguments for latest github.Github implementation
- Raise RuntimeError instead of Exception
- Don't ask user to configure GitHub App if they are not tenant owner. Breaks an endless loop cycle in case tenant creation goes wrong
- Specify 30 sec timeout for internal HTTP requests
- Improvements to CI
- Fix for GitHub exceptions. Fixes KIWI-TCMS-HH
- Don't crash on 404 from GitHub. Fixes KIWI-TCMS-EA
- Workaround upstream <PyGithub/PyGithub#2079>. Fixes KIWI-TCMS-HD
- Adjust 2 parameters for changes introduced in PyGithub 1.55
- Migrate to Python 3.8
- Always test with the latest Kiwi TCMS version
- Adjustments to the internal test suite now that Kiwi TCMS is available via source
- Prevent crash if
uidfield is not a number to make it work with Keycloak
- Don't cause ISE in case of race conditions between webhooks
- Fix ISE for existing Version
- Allow POST request (web hooks) without CSRF token
- Update for newer PyGithub
- Require login for views.Resync()
- Adjusted to work with Django 3.1 and Kiwi TCMS > 8.6
- Replace deprecated
url()withre_path() - Migrate the
payloadfield to newermodels.JSONFieldtype - Setting
PUBLIC_VIEWSis removed in Kiwi TCMS so remove the automatic adjustment - Make error messages for missing AppInst more clear
- Remove redundant if condition in Resync()
- Update translation strings
- Update documentation around GitHub permission requirements for 1-click bug report
- Add GitHub issue-tracker integration which authenticates as the installed app. Fixes Issue #25
- Configure BugSystem for new repos. Fixes Issue #15
- Create Product & BugSystem records when installation_repositores change. Fixes Issue #21
- Trigger resync from GitHub via menu. Fixes Issue #19
- Trigger resync from GitHub after AppInstallation is configured. Fixes Issue #20
- Database: Add
AppInstallation.settings_urlfield - Link to the correct URL for GitHub settings. Fixes Issue #33
- Require user to be logged in for ApplicationEdit. Fixes Issue #36
- Update translation strings
- Add more tests
- Install settings overrides under
tcms_settings_dir/(compatible with Kiwi TCMS v8.2 or later):- does not need
MIDDLEWAREandPUBLIC_VIEWSoverride anymore
- does not need
- Remove
GithubAppAuthbackend, shipped with social-auth-core v3.3.0 - Fix a redirect to use the correct name of our social_core backend
- Address GitHub API deprecation not yet fixed in social-auth-core
- Do not fail if product already exists
- Do not fail if repository doesn't have description
- Search UserSocialAuth by uid and provider
- initial release
