[GH Request] Github integration request from 2U

[deborahgu]

Firm Name

2U

Urgency

Low (2 weeks)

Problem/Request

hi, this conversation was initially raised in #ask-axim.

Is there any possibility Axim would be open to letting 2U configure our Datadog instance to have the Github integration with the OpenEdX public repositories? Based on the docs and the setup config (picture pasted below), it should be simple to make it read only, and for public information only.

We would be requesting read-only access for Contents, Actions, Pull Requests, and Issues.

Note: If the openedx org contains any private repositories, actions, PRs, or issues, I suppose those would have a risk of being exposed; as a non-permissioned user I obviously don't know if any of those exist.

@robrap is willing to be a resource on this, if Axim approves.

DD allows fine-grained permission configuration on the integration, and this is what we would be requesting:

We also be able to get by with just Contents, honestly. The other 3 would add a couple of nice features but Contents is the big one.

Reasoning

This would allow Datadog to see our catalog-info.yml files, to link errors to lines of code, etc. I understand this might be a nonstarter, but it would make my life materially easier so I figured it was worth asking!

[github-actions]

Thank you for your report! @openedx/axim-oncall will triage within a business day. Simple requests usually take 2-3 business days to resolve; more complex requests could take longer.

[kdmccormick]

Hi @deborahgu . I didn't manage to get to this before the holidays, but I'll follow up in the week of Jan 6. I'll need to talk my team a bit. For full transparency, I think I'm comfortable with this from a security perspective, but before moving forward with it, I would want to make sure that this is the type of thing that Axim would be willing to do for any actively involved Open edX deployer who asked.

[deborahgu]

thanks! and to be very very clear, I think I'm making a hell of an ask and nobody at 2U would be surprised at all if you said no. I just figured it was worth asking. ❤️

Have a great holiday!

[kdmccormick]

@deborahgu I'm trying to do a dry-run of the setup process, just to ensure I fully understand the scope of the integration. I'm not able to get to a screen that looks like the one in the issue description. I've tried following these steps but I think I need to be authenticated into DataDog to use that workflow.

Will one of need both a 2U DataDog account and the Admin Role in the openedx GH org? Or is there some other way through the setup I'm not seeing?

[robrap]

@kdmccormick: I'll reach out to you directly.

[kdmccormick]

Here's what we (Axim) would need to be OK with this integration:

• The setup can be done without granting 2U any GH admin rights, or granting Axim any DD rights
• No recurring setup work for Axim engineering (e.g., we cannot be adjusting this integration every time a new repo is added)
• EITHER we need to ensure that DD can't read security forks, OR we need to clear it with Security WG if DD can read security forks

I've put the ball in @robrap 's court to try to ensure those things. If we are good on all those points, then I think this integration would be a "go"

[robrap]

Thanks @kdmccormick. I have opened a ticket with DD (private link).

• I'm guessing that DD might not even allow this setup without someone having proper access to both DD and Github, so this may be a non-starter. I'm waiting to hear back.
• I couldn't find anything quickly about security forks, so punting this question for now, because it may be moot.