GitHub
Overview
GitHub[1] is the supported target for code repositories and continuous integration / continuous deployment ("CI/CD") workflows provisioned by Scaled Sense. As part of provisioning resources with Scaled Sense, GitHub repositories containing infrastructure-as-code ("IaC") and starter repositories for application code will be deployed.
Scaled Sense also subscribes to events emitted from GitHub organizations where it is configured to observe, react to, and orchestrate aspects of the environment.
To support all scenarios, Scaled Sense publishes two GitHub Apps that require installation.
Commonly Used Resources
- Organizations
- Teams
- Repositories
- Actions
- Environments
- Runners
Permissions Requested
Scaled Sense Automation
Configuring the Scaled Sense Automation GitHub app will require consent to the following permissions:
Read access
commit statuses- Used to identify statuses associated with commits
metadata- Mandatory for GitHub apps to access metadata about the organization to function
organization events- Used to subscribe to events emitted by GitHub to react and orchestrate activity within the platform
repository advisories- Used to identify security advisories in the organization, if GitHub Advanced Security is enabled
secret scanning alerts- Used to identify code scanning alerts in the organization, if GitHub Advanced Security is enabled
Read and write access
actions- Used to trigger GitHub Actions
actions variables- Used to configure variables for the repositories it creates
administration- Used to create repositories and assign access
checks- Used to trigger check runs and administer check suites for repositories
code- Used to write infrastructure-as-code files and seed repositories for the repositories it creates
custom repository roles- Used to define custom roles for the assignment of permissions to repositories it creates
deployments- Used to administer and initiate deployments for the repositories it creates
environments- Used to define environments and their configuration for the repositories it creates
issues- Used to create and administer issues for the repositories it creates
members- Used to create and administer teams used in assigning access to the repositories it creates
organization action variables- Used to configure variables for the organization
organization secrets- Used to configure secrets for the organization
organization self hosted runners- Will be used to manage and configure self-hosted runners for the organization
organization administration- Used to configure base-level permissions and settings for the organization to support Scaled Sense
packages- Used to publish packages to the GitHub package platform for the repositories it creates
pull requests- Used to author pull requests for the repositories it creates
secrets- Used to configure secrets for the repositories it creates
security events- Used to write to the security event log
workflows- Used to define GitHub workflow files for the repositories it creates
Scaled Sense GitHub Runners
Read access
actions- Used to read information from triggered GitHub actions
checks- Used to read information from triggered checks on GitHub actions
metadata- Mandatory for GitHub apps to access metadata about the organization to function
Read and write access
administration- Used to retrieve secure information from the repository when setting up the execution of a run
organization self hosted runners- Scaled Sense uses this permission to register self-hosted runners for use in GitHub Action workflows
Configuration Requirements
As part of configuring Scaled Sense for an organization, an administrator will be required to walk through an admin consent flow for two different Scaled Sense GitHub apps. One of these will need to be completed prior to accessing Scaled Sense and the other can be completed self-service in the Scaled Sense Portal.
The first is the Scaled Sense GitHub Runners app. A URL will be provided for a GitHub administrator to follow and consent to the installation of the app. Consenting to this app allows the use of Scaled Sense's private self-hosted runners to a Runner Group in the organization where it is installed.
The second consent flow is for the Scaled Sense Automation app. This flow can be initiated by navigating to Configure > Platforms and configuring a GitHub Connection. Consenting to this application permits the Scaled Sense Automation app the listed permissions above for the GitHub organization for where it is installed.