Skip to content

✨ add "Manage Admin Access" features to "Settings" page #168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

✨ add "Manage Admin Access" features to "Settings" page #168

wants to merge 3 commits into from

Conversation

@JGreenlee
Copy link
Collaborator

@JGreenlee JGreenlee commented Apr 14, 2025
edited
Loading

Add interface to update admin users list via UI. Triggers the config-update workflow on the config repo to PR changes (automerge if checks pass)

Introduces env vars for GitHub App auth:
CONFIG_REPO: "e-mission/nrel-openpath-deploy-configs"
CONFIG_UPDATES_WORKFLOW: "config-update.yml"
CONFIG_UPDATES_GH_APP_PRIVATE_KEY
CONFIG_UPDATES_GH_APP_ID
CONFIG_UPDATES_GH_APP_INSTALLATION_ID

(CONFIG_REPO replaces CONFIG_PATH which was unused)

Status of the workflow and PR are monitored in the UI. If credentials aren't set, updates will fail.

Designed to support more config update actions in the future; all the functions in config_update_utils.py are generic

Testing done:
#168 (comment)

JGreenlee added a commit to JGreenlee/nrel-openpath-deploy-configs that referenced this pull request Apr 14, 2025
@JGreenlee
add config-update workflow and update_admin_access script
683ea9c 
The config-update workflow runs one of the scripts in bin/config_update, commits and PRs the config changes if there are any, and auto-merges that PR if it passes checks.
The workflow can be triggered from op-admin-dashboard given that it has credentials to trigger workflows (which are provided through a Github app: https://github.com/settings/apps/op-config-updates)
Currently, this works to add/remove admin users from the admin_access list:
e-mission/op-admin-dashboard#167 (comment)

Tested end-to-end from admin dash:
e-mission/op-admin-dashboard#168
@JGreenlee JGreenlee mentioned this pull request Apr 14, 2025
Merged
@JGreenlee
Copy link
Collaborator Author

JGreenlee commented Apr 15, 2025

UI shows current admins
image

Adding a new admin
image

Monitors the status of the workflow
image

Links to PR on success
image

The PR was auto merged by github actions bot because it passed the validate-configs check
image

image

After a few minutes + refresh, the new admin shows up
image

@JGreenlee
✨ add "Manage Admin Access" features to "Settings" page
1d37911 
Add interface to update admin users list via UI. Triggers the config-update workflow on the config repo to PR changes (automerge if checks pass)

Introduces env vars for GitHub App auth:
CONFIG_REPO: "e-mission/nrel-openpath-deploy-configs"
CONFIG_UPDATES_WORKFLOW: "config-update.yml"
CONFIG_UPDATES_GH_APP_PRIVATE_KEY
CONFIG_UPDATES_GH_APP_ID
CONFIG_UPDATES_GH_APP_INSTALLATION_ID

(CONFIG_REPO replaces CONFIG_PATH which was unused)

Status of the workflow and PR are monitored in the UI. If credentials aren't set, updates will fail.

Designed to support more config update actions in the future; all the functions in config_update_utils.py are generic

Testing done:
e-mission#168 (comment)
@JGreenlee JGreenlee force-pushed the manage-admin-access branch from 582b874 to 1d37911 Compare April 15, 2025 17:03
@JGreenlee JGreenlee marked this pull request as ready for review April 15, 2025 17:04
@JGreenlee JGreenlee moved this to Ready for review by Shankari in OpenPATH Tasks Overview Apr 15, 2025
@JGreenlee JGreenlee mentioned this pull request Apr 15, 2025
Open
@JGreenlee
Copy link
Collaborator Author

JGreenlee commented Apr 16, 2025

For this to work on prod, we will need to provide new environment variables (CONFIG_UPDATES_GH_APP_PRIVATE_KEY, CONFIG_UPDATES_GH_APP_ID, and CONFIG_UPDATES_GH_APP_INSTALLATION_ID).
How do we currently provide secrets to containers running on prod?

I gave @TeachMeTW the necessary values to test locally against my fork and it worked as expected, with this PR being created: JGreenlee/nrel-openpath-deploy-configs#30

JGreenlee added a commit to JGreenlee/nrel-openpath-deploy-configs that referenced this pull request Apr 21, 2025
@JGreenlee
add config-update workflow and update_admin_access script
d6dae25 
The config-update workflow runs one of the scripts in bin/config_update, commits and PRs the config changes if there are any, and auto-merges that PR if it passes checks.
The workflow can be triggered from op-admin-dashboard given that it has credentials to trigger workflows (which are provided through a Github app: https://github.com/settings/apps/op-config-updates)
Currently, this works to add/remove admin users from the admin_access list:
e-mission/op-admin-dashboard#167 (comment)

Tested end-to-end from admin dash:
e-mission/op-admin-dashboard#168
@shankari
Copy link
Contributor

shankari commented Apr 21, 2025

@JGreenlee on production, environment variables are configured using the AWS secrets manager. I see that you have already added them to the docker-compose 👍 You can provide them to @jgu2 and he can add them to the secrets manager before we merge + deploy

shankari
shankari requested changes Apr 21, 2025
View reviewed changes
Copy link
Contributor

@shankari shankari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked through at a high level; I wonder if you could describe why we need get_recent_workflow_run.
when we dispatch a workflow, don't we get the workflow ID? That seems more robust than checking for recent calls - what if two deployments make changes in the same 10 minutes.
Similarly, the workflow should be able to output the ID of the PR that it creates.

@JGreenlee
Copy link
Collaborator Author

JGreenlee commented Apr 21, 2025

when we dispatch a workflow, don't we get the workflow ID? That seems more robust than checking for recent calls - what if two deployments make changes in the same 10 minutes.

Unfortunately no, we don't get the workflow ID. We just get an empty OK response (204)

Similarly, the workflow should be able to output the ID of the PR that it creates.

I tried this too, but there's no easy way to get an output value from a workflow run.
You can generate an artifact with the output value, or just log the output value and parse the logs on the receiving end. Either way you have to download zip files and extract them, which didn't seem worth the effort at the moment

JGreenlee added a commit to JGreenlee/nrel-openpath-deploy-configs that referenced this pull request Jun 23, 2025
@JGreenlee
add config-update workflow and update_admin_access script
3a86786 
The config-update workflow runs one of the scripts in bin/config_update, commits and PRs the config changes if there are any, and auto-merges that PR if it passes checks.
The workflow can be triggered from op-admin-dashboard given that it has credentials to trigger workflows (which are provided through a Github app: https://github.com/settings/apps/op-config-updates)
Currently, this works to add/remove admin users from the admin_access list:
e-mission/op-admin-dashboard#167 (comment)

Tested end-to-end from admin dash:
e-mission/op-admin-dashboard#168
JGreenlee added 2 commits June 23, 2025 13:20
@JGreenlee
Merge branch 'master' of https://github.com/e-mission/op-admin-dashboard
77b8463 
 into manage-admin-access
@JGreenlee
identify who triggers config update workflow by passing user-email
d022ceb 
With cognito auth, the email of the authenticated user is included in the token, but before this change we didn't save it anywhere.
These changes return the user email from authentication, save it as a global store, and pass it to the config-updates workflow when it is triggered, allowing us to "maintain an audit trail of who made the appropriate changes."
e-mission#168 (comment)
shankari pushed a commit to e-mission/nrel-openpath-deploy-configs that referenced this pull request Jun 28, 2025
@JGreenlee @shankari
add config-update workflow and update_admin_access script
0478169 
The config-update workflow runs one of the scripts in bin/config_update, commits and PRs the config changes if there are any, and auto-merges that PR if it passes checks.
The workflow can be triggered from op-admin-dashboard given that it has credentials to trigger workflows (which are provided through a Github app: https://github.com/settings/apps/op-config-updates)
Currently, this works to add/remove admin users from the admin_access list:
e-mission/op-admin-dashboard#167 (comment)

Tested end-to-end from admin dash:
e-mission/op-admin-dashboard#168
shankari pushed a commit to e-mission/nrel-openpath-deploy-configs that referenced this pull request Oct 13, 2025
@JGreenlee @shankari
add config-update workflow and update_admin_access script
d3a3a6a 
The config-update workflow runs one of the scripts in bin/config_update, commits and PRs the config changes if there are any, and auto-merges that PR if it passes checks.
The workflow can be triggered from op-admin-dashboard given that it has credentials to trigger workflows (which are provided through a Github app: https://github.com/settings/apps/op-config-updates)
Currently, this works to add/remove admin users from the admin_access list:
e-mission/op-admin-dashboard#167 (comment)

Tested end-to-end from admin dash:
e-mission/op-admin-dashboard#168
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shankari shankari shankari requested changes

Assignees

No one assigned

Labels

None yet

Projects

OpenPATH Tasks Overview
Status: Ready for review by Shankari

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JGreenlee @shankari