Skip to content

🌱 Setup cron for running as GitHub App #2721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
spencerschrock merged 11 commits into from
Mar 7, 2023
Merged

🌱 Setup cron for running as GitHub App #2721

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
6d5a326
Update auth server to use GitHub App.
spencerschrock Feb 24, 2023
3949a50
Update release worker to use GitHub App tokens directly, as a workaro…
spencerschrock Feb 24, 2023
93c347d
Add Retry-After logic and stats.
spencerschrock Feb 27, 2023
843e6d3
Change retry-after logic to support any status code. Disable troubles…
spencerschrock Mar 1, 2023
4120218
Use GitHub App Token instead of auth server.
spencerschrock Mar 6, 2023
742ada2
Temporarily disable additional chhecks.
spencerschrock Mar 6, 2023
8951f6a
Disable github auth server as it doesn't work with the GitHub App Tok…
spencerschrock Mar 6, 2023
08e1737
Re-enable Fuzzing check in the release test.
spencerschrock Mar 6, 2023
22b5284
Fix unit test for new check change.
spencerschrock Mar 6, 2023
69771cf
Move opencensus stat to the ratelimit roundtripped.
spencerschrock Mar 7, 2023
e259690
Merge branch 'main' into feat/test-github-app-cron
spencerschrock Mar 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions clients/githubrepo/roundtripper/rate_limit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,14 @@ func (gh *rateLimitTransport) RoundTrip(r *http.Request) (*http.Response, error)
if err != nil {
return nil, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("innerTransport.RoundTrip: %v", err))
}

retryValue := resp.Header.Get("Retry-After")
if retryAfter, err := strconv.Atoi(retryValue); err == nil { // if NO error
gh.logger.Info(fmt.Sprintf("Retry-After header set. Waiting %d to retry...", retryAfter))
time.Sleep(time.Duration(retryAfter) * time.Second)
gh.logger.Info("Retry-After header set. Retrying...")
}

rateLimit := resp.Header.Get("X-RateLimit-Remaining")
remaining, err := strconv.Atoi(rateLimit)
if err != nil {
Expand Down
6 changes: 6 additions & 0 deletions clients/githubrepo/roundtripper/transport.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,5 +64,11 @@ func (gt *githubTransport) RoundTrip(r *http.Request) (*http.Response, error) {
if err == nil {
stats.Record(ctx, githubstats.RemainingTokens.M(int64(remaining)))
}

retryAfter, err := strconv.Atoi(resp.Header.Get("Retry-After"))
if err == nil {
stats.Record(r.Context(), githubstats.RetryAfter.M(int64(retryAfter)))
}

return resp, nil
}
4 changes: 3 additions & 1 deletion clients/githubrepo/stats/stats.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ var (
// RemainingTokens measures the remaining number of API tokens.
RemainingTokens = stats.Int64("RemainingTokens",
"Measures the remaining count of API tokens", stats.UnitDimensionless)

// RetryAfter measures the retry delay when dealing with secondary rate limits.
RetryAfter = stats.Int64("RetryAfter",
"Measures the retry delay when dealing with secondary rate limits", stats.UnitSeconds)
// TokenIndex is the tag key for specifying a unique token.
TokenIndex = tag.MustNewKey("tokenIndex")
// ResourceType specifies the type of GitHub resource.
Expand Down
4 changes: 3 additions & 1 deletion cron/config/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,9 @@ additional-params:
api-results-bucket-url: gs://ossf-scorecard-cron-results
# TODO: Temporarily remove SAST and CI-Tests which require lot of GitHub API tokens.
# TODO(#859): Re-add Contributors after fixing inconsistencies.
blacklisted-checks: CI-Tests,Contributors
# TODO: Dependency-Update-Tool, Fuzzing, and SAST are search heavy
# TODO: Vulnerabilities is resource intensive, wait until the next osv-scanner release after v1.2.0
blacklisted-checks: CI-Tests,Contributors,Dependency-Update-Tool,Fuzzing,SAST,Vulnerabilities
cii-data-bucket-url: gs://ossf-scorecard-cii-data
# Raw results.
raw-bigquery-table: scorecard-rawdata
Expand Down
2 changes: 1 addition & 1 deletion cron/config/config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ const (
prodCompletionThreshold = 0.99
prodWebhookURL = ""
prodCIIDataBucket = "gs://ossf-scorecard-cii-data"
prodBlacklistedChecks = "CI-Tests,Contributors"
prodBlacklistedChecks = "CI-Tests,Contributors,Dependency-Update-Tool,Fuzzing,SAST,Vulnerabilities"
prodShardSize int = 10
prodMetricExporter string = "stackdriver"
prodMetricStackdriverPrefix string = "scorecard-cron"
Expand Down
2 changes: 1 addition & 1 deletion cron/k8s/auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ kind: Deployment
metadata:
name: scorecard-github-server
spec:
replicas: 1
replicas: 0
selector:
matchLabels:
app.kubernetes.io/name: github-auth-server
Expand Down
24 changes: 21 additions & 3 deletions cron/k8s/worker.release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ spec:
containers:
- name: worker
image: gcr.io/openssf/scorecard-batch-worker:latest
args: ["--ignoreRuntimeErrors=false", "--config=/etc/scorecard/config.yaml"]
args: ["--ignoreRuntimeErrors=true", "--config=/etc/scorecard/config.yaml"]
imagePullPolicy: Always
env:
- name: SCORECARD_DATA_BUCKET_URL
Expand All @@ -40,10 +40,22 @@ spec:
value: "gcppubsub://projects/openssf/subscriptions/scorecard-batch-worker-releasetest"
- name: SCORECARD_METRIC_EXPORTER
value: "printer"
- name: GITHUB_AUTH_SERVER
value: "10.4.4.210:80"
- name: GITHUB_APP_KEY_PATH
value: /etc/github/app_key
- name: GITHUB_APP_ID
valueFrom:
secretKeyRef:
name: github
key: app_id
- name: GITHUB_APP_INSTALLATION_ID
valueFrom:
secretKeyRef:
name: github
key: installation_id
- name: "SCORECARD_API_RESULTS_BUCKET_URL"
value: "gs://ossf-scorecard-cron-releasetest-results"
- name: "SCORECARD_BLACKLISTED_CHECKS"
value: "CI-Tests,Contributors,Dependency-Update-Tool,SAST"
resources:
requests:
memory: 5Gi
Expand All @@ -55,10 +67,16 @@ spec:
- name: config-volume
mountPath: /etc/scorecard
readOnly: true
- name: github-app-key
mountPath: "/etc/github/"
readOnly: true
volumes:
- name: config-volume
configMap:
name: scorecard-config
- name: github-app-key
secret:
secretName: github
strategy:
type: "RollingUpdate"
rollingUpdate:
Expand Down
20 changes: 18 additions & 2 deletions cron/k8s/worker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,18 @@ spec:
args: ["--ignoreRuntimeErrors=true", "--config=/etc/scorecard/config.yaml"]
imagePullPolicy: Always
env:
- name: GITHUB_AUTH_SERVER
value: "10.4.4.210:80"
- name: GITHUB_APP_KEY_PATH
value: /etc/github/app_key
- name: GITHUB_APP_ID
valueFrom:
secretKeyRef:
name: github
key: app_id
- name: GITHUB_APP_INSTALLATION_ID
valueFrom:
secretKeyRef:
name: github
key: installation_id
resources:
requests:
memory: 5Gi
Expand All @@ -45,10 +55,16 @@ spec:
- name: config-volume
mountPath: /etc/scorecard
readOnly: true
- name: github-app-key
mountPath: "/etc/github/"
readOnly: true
volumes:
- name: config-volume
configMap:
name: scorecard-config
- name: github-app-key
secret:
secretName: github
strategy:
type: "RollingUpdate"
rollingUpdate:
Expand Down