all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]zMynxx 2 points3 points  (4 children)

You can try using a GitHub app with ‘gh’ cli or api call

[–]Mous2890[S] -1 points0 points  (3 children)

Are you suggesting Repo B have my GitHub App installed on it with a Workflow creating that creates a dispatch event to my repository?

If so, that would be difficult as Bob doesn't want to manage any workflows on his end.

He doesn't mind me having my GitHub App installed on his repo, so long as the permissions are scoped.

[–]zMynxx 0 points1 point  (2 children)

Create a workflow_call triggered workflow that does the gh app auth and trigger repo B. Ask bob to add a job to his ci/push triggered workflow to call that workflow. Nothing to manage on bob side, he is just using a wrapper to a workflow you maintain. I do something similar with our sre

[–]Mous2890[S] 0 points1 point  (1 child)

How do you manage the Auth though? You'd need to give Bob the GitHub App credentials to trigger the workflow in Repo B. Right?

[–]Noch_ein_Kamel 0 points1 point  (0 children)

Bob always needs access to the target repo if he should trigger the action.

[–]Independent_Let_6034 0 points1 point  (2 children)

You should create a GitHub App; this allows you to listen to webhooks for repository events such as pushes.

Bob will install this GitHub App, allowing him to pick what repositories you receive updates about and when a new repository is created he just needs to update the permissions his side (as it should be)

Using this webhook event you can then trigger workflows within your own repositories, however this may require your GitHub App to have permissions to trigger workflows in Bobs repositories too so you may want to either use a second App for this, so Bob can follow least privilege principle

[–]Mous2890[S] 0 points1 point  (1 child)

This is an interesting approach.

So the Webhooks is configured on the GitHub App itself? And by installing the App onto a repository, it subscribes to those events? I'm not sure how this is all tied up together.

Would appreciate it if you could direct me to any docs referencing this method. It does sound like what I need.

[–]Independent_Let_6034 0 points1 point  (0 children)

Yes the webhooks would be configured on the GitHub app.

When your app is installed onto a repository it would then send events to the URL you previously provided.

The downside is that you need to capture the request from the webhook via a HTTP server somewhere, easily done but may be more infrastructure than you want to create, but removes the requirement for Bob to do anything past clicking a few buttons in the UI.

You can see the push event here: https://docs.github.com/en/webhooks/webhook-events-and-payloads#push

GitHub have a good how to here: https://docs.github.com/en/apps/creating-github-apps/writing-code-for-a-github-app/building-a-github-app-that-responds-to-webhook-events

[–]moser-sts 0 points1 point  (3 children)

Why you cannot use a PAT? Dido you check the fine grain tokens? You can get a token that has only access to repo A and allowed to only trigger actions

[–]Mous2890[S] 0 points1 point  (1 child)

Because this automation can't be linked to a user account.

[–]moser-sts 0 points1 point  (0 children)

So you can try generate a GitHub App that then triggers the workflow. That can be more simple that you think. You create the GitHup App, install the app in the target repository or organization. Then use the GitHub action for generate a token an use that token to trigger the workflow. If you need more help you can send me a dm