[Feat]: Template synchronization across multiple github organization

[alexvanderberkel]

Describe the feature

Supporting for template synchronization for multiple GitHub organization. If you work with private repository within an Enterprise Organization, the token of a GitHub app are bound to one organization only.

Currently, the template synchronization GitHub action uses only one github_token. If the scripts could use multiple github_token or if you could specify a source and destination github token that are being used later on, you could have template synchronization most likely across multiple GitHub organization under an enterprise umbrella. The teams would be required to somehow "share" the credentials and figure out a least privilege approach but the synchronization could be possible I guess.

Within the action it could look like this:
`

  - uses: actions/create-github-app-token@v1
    id: app-token-org-destination
    with:
      app-id: ${{ secrets.ORG_DESTINATION_APP_ID }}
      private-key: ${{ secrets.ORG_DESTINATION_PRIVATE_KEY }}
  
  - uses: actions/create-github-app-token@v1
    id: app-token-org-source
    with:
      app-id: ${{ secrets.ORG_SOURCE_APP_ID }}
      private-key: ${{ secrets.ORG_SOURCE_PRIVATE_KEY }}

  - name: actions-template-sync
    uses: AndreasAugustin/actions-template-sync@v2
    with:
      source_github_token: ${{ steps.app-token-org-source.outputs.token }}
      source_repo_path: Uniper-Streaming-Integration-Platform/confluent-cloud-terraform-template
      destination_github_token: ${{ steps.app-token-org-destination.outputs.token }}
      upstream_branch: main`

`
The push function would most like need to use the token of the destination as far as I could figure out.

Use Case

Support template synchronization across multiple GitHub organization with private repositories

Proposed Solution

No response

Acknowledgements

• I may be able to implement this feature request

[AndreasAugustin]

Hi @alexvanderberkel and thanks for the approach.

Actually what I understand you like to have this action in one repo and push to other repos?
Currently the way the action is working is that you need to have the workflow definition inside the target repository.
So having in each repo the yaml definition with the same source is actually the way how you could solve it today?

[alexvanderberkel]

We are running it currently in the target repo. We get it running towards the source but then it is failing against the target. I think the reason is that the github_token that is being injected belongs to the source github organization. Once the push action towards the target organization is carried out it will use the token of the source organization and not if the target organization. Maybe I'm wrong in my understanding?

[AndreasAugustin]

We are running it currently in the target repo. We get it running towards the source but then it is failing against the target. I think the reason is that the github_token that is being injected belongs to the source github organization. Once the push action towards the target organization is carried out it will use the token of the source organization and not if the target organization. Maybe I'm wrong in my understanding?

Thanks for the clarification. Totally misunderstood your issue and use case.
Hmm 🤔 reading the code I can verify that with current implementation your use case is not working.
Actually I think this is even a bug. Need to think about the issue. It is overriding the GITHUB_TOKEN env vatiable for the step. Currently I think with a slight modification this should be solvable with a rename of the env variable. Then your use case should work without a change of the current parameters.

[alexvanderberkel]

Absolutely no problem Andreas! In that case I haven't made myself clear enough. Thanks for all the work you put into this GitHub Action. Much appreciated your work.

Is the token that is being overwritten the token of the pipeline? So I think you are right if we change name of variable slightly and it should be able to work without changing the current parameters.

[alexvanderberkel]

Hi Andreas, can I help somehow in the development or testing ?

[AndreasAugustin]

Hi @alexvanderberkel and thanks for your offer. Development and testing is always welcome.

Do you like to take over the task?

[alexvanderberkel]

I can give it a first try :-)