GitHub commit status via OAuth integration

maleadt · November 12, 2020, 7:37am

Hi all,

I’m trying to use BuildKite for a community CI service, where the GitHub users don’t get admin access to the BuildKite organization, and vice versa (BuildKite admins aren’t necessarily admins of the GitHub repo or organization). That means, as far as I understand, that we can’t use the GitHub app as documented here: https://buildkite.com/docs/integrations/github#to-connect-your-buildkite-account-to-github-using-the-github-app

As a result, our pipelines fail to push status updates to the GitHub repositories they provide CI for. I was wondering if the OAuth integration from https://buildkite.com/docs/integrations/github#to-connect-your-buildkite-account-to-github-using-oauth could be used to provide those statusses. Having created a test user with member-level access to the BuildKite instance, and a pipeline that user has access to for a repo he has admin permissions on GitHub, BuildKite still fails to push status updates.

I did of course enable the BuildKite OAuth integration from BuildKite’s ‘personal settings’ (https://github.com/settings/connections/applications/Iv1.112bf4be3e5ecdeb), but I’m not sure how to tell BuildKite how to use that account. When creating a pipeline, the repository settings account dropdown does not list the user I’ve set up the integration for as an option, so maybe something’s wrong there?

jess · November 12, 2020, 6:57pm

Hi @maleadt, we built the GitHub App integration with the expectation that admins would be a similar set of people between multiple moving parts in the chain, and that that was indicative of their explicit permission to make security-sensitive decisions for the projects, but sometimes this is not the case!

Right now, it’s necessary that the user is an admin of both sides of the chain only at the point of connection, so if a user could be made admin on one or the other side to make the connection, and then removed, that would work.

On the other side of things, adding the OAuth integration gives us access as you, not simply to act as Buildkite, which is why we much prefer the GitHub App integration; it’s prone to fewer issues on our end. The tradeoff, of course, is that we are a distinct entity in the chain of trust, rather than simply acting as though we’re the user, so we’re trying to make respectful and sensible security decisions on that end!

Using the OAuth integration should also get status updates working, so long as you have the requisite permissions.

We recommend that as many Buildkite users as possible have their GitHub accounts connected to their Buildkite accounts when using OAuth, as that reduces the chances of it breaking entirely; with OAuth connections, we attempt to post using each connected user’s permissions until we manage to post the status or run out of connections. There’s also no explicit connection made between Buildkite org and GitHub account, so it’s very much dependent on people having the right permissions, and URLs matching up for it to work correctly, and as you’ve seen, OAuth connections can’t populate the repository selector as GitHub App connections do.

If you would like a hand debugging the OAuth side of things, please send us an email at support@buildkite.com with the email address of the Buildkite user and the GitHub username they’re connected to and we can have a look.

maleadt · November 12, 2020, 7:44pm

Thanks for the detailed response!

I realize the way I’m trying to use Buildkite probably doesn’t match most use cases, so it’s understandable the app doesn’t cover it. I’ll send a mail to support with some more details about the OAuth integration though, as it would be much easier if I could get that to work (reliably).

Great, I had already noticed that but it’s good to see it confirmed. Would be an acceptable workaround if I can’t get OAuth to work