Discuss continuous delivery of infrastructure Archive: https://archive.sweetops.com/gitops/
@Erik Osterman (Cloud Posse) do you have a trigger based off of a release or just a tag in codefresh?
i cant seem to find that in circle
i guess tag will work well enough
like the webhook will fire off from github, but circle doesnt listen for that
yeah im using tag, which circle does listen to
but obviously would have liked it to be release instead
(codefresh even listens for github comments)
“ok to deploy”
im going to work with the free version of codefresh on my own time so i can make a pitch to move
do you find your team going through alot of builds though?
codefresh is moving to a new model based on concurrent steps
that’ll make it a lot easier
pricing will not be per build?
that’d be nice not to have to worry about optimizing the types of builds youre making
yea, the realized the pricing model before was prohibitive/restrictive
when in fact, you want people to use it as much as possible
do you know what their new pricing model will look like?
someone will reach out to you
@Erik Osterman (Cloud Posse) are you doing release/tag permission restrictions in github? those dont seem available
based off this issue https://github.com/isaacs/github/issues/1091
Right now, it's basically impossible to have any protection around tags: Anyone with write access to a repo can push any tags. There's no auditing/logging of tag changes. Any number of thin…
unfortunately, github doesn’t support that. there are a few workarounds.
Option 1. Codefresh will soon be adding permissions around “approval” steps; (right now anyone can approve). You can wait for this. Option 2. Embed the deployment permissions into the deploy pipeline by looking at the code committer. This can run as just a separate step in the pipeline.
Option 2 is my pref
we don’t have an example of this right now
thats what im going to do in circle
unfortunately its hardcoded into the code
i recommend just checking github team membership
thats not provided out of the box by circle, are you hitting the gh api to grab that?
i only get the username of whoever triggered the build
yeah i will just hit the GH api
yea, you’ll need to hit the github API
We have an example here: https://github.com/cloudposse/github-authorized-keys/blob/master/api/github.go
Use GitHub teams to manage system user accounts and authorized_keys - cloudposse/github-authorized-keys
but I would create a new cli tool that simple does this one thing
yeah that’s what I am planning on doing
python + argparse