92b1639ae5
* feat: support custom repo properties * nvm logging good * node 18 |
||
---|---|---|
.github | ||
.husky | ||
src | ||
static | ||
.dockerignore | ||
.env.example | ||
.gitignore | ||
.prettierrc.json | ||
Dockerfile | ||
LICENSE | ||
Makefile | ||
README.md | ||
app.json | ||
package.json | ||
tsconfig.json | ||
yarn.lock |
README.md
Sheriff: Permissions Bot
This bot, when deployed as a Heroku app and configured correctly, is capable of controlling permissions across GitHub, Slack and GSuite. It also actively monitors and alerts you to suspicious or unexpected activity on GitHub.
How It Works
Using a combination of webhooks and a YAML configuration file, Sheriff will automatically control your permissions and access controls across GitHub, Slack and GSuite. (Slack and GSuite plugins are optional and disabled by default).
It will post to a designated Slack channel every time it updates any permission setting or any time it detects potentially suspect actions including new deploy keys with write access, tag deletion or release branch deletion.
If you have an organization with a lot of repositories and/or org members using Sheriff can help ensure your organization remains secure and transparent.
Deployment
We recommend deploying this as a Heroku app (this is how Electron has deployed it), although you can use another deployment strategy if you want. There are three core components to Sheriff, all of which need to be configured for it to work:
The Webhook
Deploy the webhook to Heroku with this button ➡️
To the run the webhook server, you need to start the main Sheriff entry point.
npm start
You then need to create a webhook for your entire organization; you can do this on your organization's GitHub webhooks page:
https://github.com/organizations/{orgname}/settings/hooks/new
You want to specify the following options:
Payload URL
- The deployed URL of your webhook server, e.g. https://my-sheriff.mysite.comContent type
-application/json
Secret
- Generate a random and secure secret here and save it for later in the configurationWhich events?
- Choose "Send me everything"
Finally, click "Add webhook".
The GitHub App
To manage GitHub instances, Sheriff requires you to create a GitHub App that gets installed in the desired Org.
The app needs the following OAuth scopes permitted:
Org:
administration:write
contents:read
metadata:read
Repo:
members:write
Once created, you can generate and download a Private Key for the app, and supply it to Sheriff.
Before setting it as SHERIFF_GITHUB_APP_CREDS
, you must pass it through a utility to change the format to what Octokit is expecting:
npx @electron/github-app-auth --creds={path-to-downloaded-private-key} --app-id={id-from-created-github-app}
The Cron Job
The actual permissions controller should be triggered every 10 minutes as a cron job. You can run this job with:
node lib/permissions/run.js --do-it-for-real-this-time
If you leave off the --do-it-for-real-this-time
Sheriff will "dry run" and tell you what it would have done if you had let it run.
On Heroku you use the "Heroku Scheduler" addon to configure this cron job.
The Slack App
In order to provide realtime information on the actions Sheriff takes, we use a Slack app that sends messages to a channel. You'll need to create your own Slack App by following the instructions below.
- Create a new Slack app on https://api.slack.com/apps - Name it whatever you like and choose your workspace as the development workspace
- Go to "Incoming Webhooks" and enable it
- Click "Add New Webhook to Workspace" and choose the channel you want Sheriff to post in to
- Keep a note of the newly created
Webhook URL
as you'll need it later for configuration purposes. - Go to "OAuth & Permissions" and add the following OAuth scopes.
usergroups:read
,usergroups:write
,users:read
andusers:read:email
. - Follow the prompt to reinstall your app for the new OAuth scopes to take effect
- Keep a note of the
OAuth Access Token
at the top of the page as you'll need it later for configuration purposes.
Configuration
Service Config
The following environment variables represent the configuration of the actual Sheriff deployment. For the
permissions.yaml
reference see the Permissions File section.
Name | Required | Value | For Plugin |
---|---|---|---|
PERMISSIONS_FILE_ORG |
✔️ | The name of the GitHub org where you put the .permissions repository |
|
PERMISSIONS_FILE_REPO |
Override the default repo to look for config.yaml |
.permissions |
|
PERMISSIONS_FILE_PATH |
Override the default filepath to look for the Sheriff config | config.yaml |
|
PERMISSIONS_FILE_REF |
Override the default repo branch to look for the Sheriff config | main |
|
GITHUB_WEBHOOK_SECRET |
✔️ | The secret for the org-wide webhook you configured earlier | |
SLACK_TOKEN |
✔️ | The token for your Slack App you created earlier | |
SLACK_WEBHOOK_URL |
✔️ | The webhook URL for your Slack App you created earlier | |
SHERIFF_HOST_URL |
✔️ | The fully qualified URL for your deployed webhook | |
SHERIFF_PLUGINS |
A comma separated list of plugins to enable. Possible plugins are gsuite and slack |
||
SHERIFF_IMPORTANT_BRANCH |
A regular expression to match important branches you want to monitor for deletion | ||
SHERIFF_GITHUB_APP_CREDS |
✔️ | Private key credentials generated for a GitHub App. | |
GSUITE_CREDENTIALS |
GSuite credentials | gsuite |
|
GSUITE_TOKEN |
GSuite authentication token | gsuite |
|
SHERIFF_GSUITE_DOMAIN |
The primary domain of your GSuite account | gsuite slack |
|
SHERIFF_SLACK_DOMAIN |
The "domain" part of {domain}.slack.com for your Slack instance |
gsuite if you add slack email addresses to your google groups for notifications |
Permissions File
Your organization permissions are controlled through a config.yaml
file stored in a .permissions
repository
in your GitHub organization. We keep that .permissions
repository private but you can choose to keep it
public if you wish. That repository needs a config.yaml
file at the top level that is in the following format:
organization: <name of github org>
repository_defaults:
# Whether repositories should have wikis enabled by default or not
# For security reasons, you should consider defaulting this to false
has_wiki: <boolean>
# Teams are not specific to a single platform; they are shared across GitHub, Slack and GSuite
teams:
- name: <team name>
# A list of members / maintainers of this GitHub team
# Maintainer in GitHub conveys some extra permissions over the team (set description, avatar, etc.)
members:
- list
- of
- gh_usernames
maintainers:
- list
- of
- gh_usernames
# Or don't provide members/maintainers and instead provide a list of other
# teams to draw users from. This doesn't set any parent/child relationship
# rather it simply says:
# for team of formation:
# self.members += team.members
# self.maintainers += team.maintainers
# i.e. doing a union of members/maintainers of the formation teams to create
# a new member list
formation:
- list
- of
- other
- teams
# Optional team properties
# Human friendly display name for GSuite and Slack groups
displayName: <string>
# Hidden GitHub team? true=yes, false=no
secret: <boolean>
# Create a slack user group for this team
# false=no, true=use name of team, string=custom_name
# Used by the `slack` plugin
slack: <boolean> | <string>
# Create a GSuite group for this team
# Leave undefined for "no"
# Used by the `gsuite` plugin
gsuite:
# internal = only visible to other GSuite members
# external = public facing group email address
privacy: internal | external
repositories:
- name: <repo name>
teams:
<team_name>: read | triage | write | maintain | admin
external_collaborators:
<gh_username>: read | triage | write | maintain | admin
# Optional repository settings
settings:
# Wiki enabled? true=yes, false=no
has_wiki: <boolean>
# Public vs Private repository, no value is assumed to mean public
visibility: public | private
Generating your initial configuration
You can generate a permissions file for the current state of your org using the generate
helper script.
node lib/permissions/generate.js
Please note you may want to edit this generated YAML file:
- All org owners are considered
maintainers
of the teams they are in, this may be semantically incorrect - No GSuite or slack configuration is included in the generated file
- You may want to use the
formation
property to declare larger teams instead of listing all members individually
However in theory running Sheriff immediately on this generated file should result in a no-op run.
Deployment Recommendations
You should have alerting set up in case the cron job fails. Occasionally, it will fail due to an unexpected state on GitHub or an incorrect/incomplete permissions file.
Known Limitations
- Sheriff is not currently capable of inviting people to your org
- Before adding them to the permissions file, ensure you've added them to the org.
- Sheriff will not remove people from your org, if your has "default member permissions" you should ensure users are manually removed when appropriate