Back to blog

GSOC Manage jenkinsci GitHub permissions as code

Danyang Zhao
Danyang Zhao
August 26, 2024

This blog showcases all the work done in the Manage jenkinsci GitHub permissions as code project during Google Summer of Code 2024.

About the Project

This project aims to create a solution that allows the Repository Permission Updater (RPU) to manage jenkinsci GitHub permissions as code. RPU is a vital tool used by Jenkins to manage artifactory permissions, bridge discrepancies between Jira and GitHub issues, and enable automatic releases. Currently, RPU oversees over 2600 GitHub teams, with all team modifications handled manually by the hosting team. Automating these processes aims to significantly enhance productivity by reducing the manual workload.

In Jenkins, there is a strategy of using teams to manage permissions effectively. Teams are categorized into two types:

Repository Teams are directly linked to specific repositories. The names of these teams typically follow the format $repo_name + Developers and they automatically assume the admin role. The developers in these teams are managed within the "permissions" section.

Additional GitHub Teams, in contrast to repository teams, oversee multiple repositories without being attached to any particular one. The roles of these teams can vary, depending on the needs of the repositories they manage. The developers in these teams are organized within the "teams" section.

To enhance the management of these two distinct team types, it is necessary to modify the current YAML structure.

Changes to YAML structure:

Before:

permissions/*.yml

...
developers:
  - "user1"
  - "user2"
...

teams/*.yml

---
name: "core"
developers:
  - "user1"
  - "user2"
...

After:

permissions/*.yml

...
developers:
  - ldap: "user1"
    github: "user1"
  - ldap: "user2"
    github: "github_user2"
repository_team: "example-repo Developers"
additional_github_teams:
  - name: "core_team"
    role: "admin"
...

teams/*.yml

---
name: "ux"
github_team_name: "sig-ux"
developers:
  - ldap: "user1"
    github: "user1"
  - ldap: "user2"
    github: "github_user2"
...

Phase 1

Successfully implemented the foundational goals outlined in the proposal.

YAML structure:

...
developers:
  - "user1"
  - "user2"
github_team: "example-repo Developers"

Skills Developed:

  • SnackYAML

  • GitHub API

  • Jenkinsfile

  • Docker

Phase 2

After initial implementations, I engaged in discussions with the hosting team to address real-world challenges and adapt our project accordingly.

YAML structure:

permissions/*.yml

...
developers:
  - "user1"
  - "user2"
repository_team: "example-repo Developers"
additional_github_teams:
  - name: "core_team"
    role: "admin"
...

teams/*.yml

---
name: "ux"
github_team_name: "sig-ux"
developers:
  - "user1"
  - "user2"
...

Skills Developed:

  • GitHub Actions

  • Java GitHub API

  • Testing with Mockito and JUnit

  • Introductory Terraform

Next steps

The development of this project has followed a complex path, shaped by real-world challenges encountered in Phase 2 that diverged from our initial plans. As we progress, several improvements remain to be addressed to ensure that our solutions effectively meet real-world needs.

  1. Due to potential discrepancies between LDAP and GitHub usernames, the YAML structure has been adjusted to include both.

  2. Terraform will be integrated to bolster security and streamline management across GitHub workflows.

  3. A one-off backfill process will be implemented to synchronize data from GitHub with YAML configurations before the initial deployment, ensuring consistency.

Summary

I am grateful for the opportunity to be a part of this project; without it, my amazing journey at Jenkins would not have been possible. Special thanks to my mentor Alexander Brandes for his support throughout the process. I also owe a lot to the org admins, particularly Alyssa Tong, who not only adjusted her schedule to overcome time zone differences but also provided invaluable guidance in project management, Kris Stern was always there to assist with development challenges, offering as much help as she could, and lastly, thanks to Bruno Verachten for his support.

About the author

Danyang Zhao

Danyang Zhao

Danyang graduated with a Master’s in Information Technology from the University of Queensland in 2024. She is contributing to the GSoC 2024 "Manage Jenkinsci GitHub Permissions as Code" project, which aims to automate the management of GitHub permissions for the Jenkinsci organization.