Manages who is in your GitHub organization based on a custom property in their Google Workspace profile, allowing for seamless JML (Joiner mover leaver) process, if allowed removing/disabling an account in the Google Workspace will remove the user from the GitHub; similarly adding a user also works the same way. If you don't want to run it in destructive mode it can be configured to exit with a non-zero exit code so that you know to go and manually make the changes.
Right now this only handles the organization membership, it does not touch team membership, or level of membership; the main focus is to draw alert when the configuration isn't as expected, these features could be added in future.
-
Add a custom attribute on the users
- Go to https://admin.google.com/ac/customschema
- Enter
- Category:
Accounts
- Description:
Accounts held elsewhere to link in
- Custom fields:
- name:
github
- info type:
text
- visibility:
Visible to the organisation
- no. of values:
multi-value
- name:
- Category:
-
Add values to custom attributes for the users
- Go to https://admin.google.com/ac/users
- Click a user to edit them
- Click 'user information'
- Under Accounts, click
github
- Add all the github accounts for that user
- Click Save
-
- Enable the Admin SDK API
- Create credentials
- Which API are you using?:
Admin SDK API
- Are you planning to use this API with App Engine or Compute Engine:
no
- Service account name:
githubusermanager
- Role:
[none]
- Key type:
JSON
- Click
Continue
, then confirmCREATE WITHOUT ROLE
- Edit the user, Click
Enable G Suite domain-wide delegation
- Product name for the consent screen:
githubusermanager
- https://admin.google.com/ac/owl/domainwidedelegation
- Client ID:
client id from user
- OAuth scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly
-
Register new GitHub App
- Click
Settings
on your organization - Click
Developer settings
- Click
GitHub Apps
- Click
New GitHub App
- Enter:
- GitHub App name:
Google workspace github users
- Homepage URL: github.com
- Webhook
- Active
uncheck
- Active
- Organization permissions
- Members:
Read-only
, orRead-Write
if you want it to
- Members:
- Where can this GitHub App be installed?
Only on this account
- Click
Generate a private key
(should download a .pem) - Click
Install App
- Click
Install
- Click
Install
- take node of the url, it'll look something like:
github.com/organizations/myorg/settings/installations/15627551
, the installationId is the last number15627551
- Click
# ./.github/workflows/org-membership.yml
name: Github Org Membership
on:
schedule:
- cron: '*/5 * * * *'
jobs:
run:
runs-on: ubuntu-latest
steps:
- name: Github Org Membership Manager
uses: appvia/[email protected]
with:
google-email-address: [email protected]
google-credentials: ${{ secrets.GOOGLE_CREDENTIALS }}
add-users: 'false'
remove-users: 'false'
exit-code-on-missmatch: '1'
github-org: 'myorg'
github-app-id: 1234
github-installation-id: 12345
github-private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
ignored-users: user1,user2
github-token: ${{ secrets.GITHUB_TOKEN }}
github-actor: ${{ github.actor }}
Add a dependabot configuration to always get updates!
# ./.github/dependabot.yml
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily
- Make an env file with the below table
docker run --env-file .env docker.pkg.github.com/appvia/githubusermanager/githubusermanager:main
- Clone this repo
npm install --production
npm start
(with the with the below environment variables table set)
Environment Variable | Description | Example | Default |
---|---|---|---|
GOOGLE_EMAIL_ADDRESS |
Email address to assume to, needs to be an workspace admin | [email protected] |
null |
GOOGLE_CREDENTIALS |
Base64'd json as downloaded from the google service account creation step | Zm9vCg== |
null |
ADD_USERS |
Set to TRUE to add users to the github organisation | TRUE |
false |
REMOVE_USERS |
Set to TRUE to remove users from the github organisation | TRUE |
false |
REMOVE_SUSPENDED_USERS |
Set to TRUE to remove users from the github organisation that are suspended in Google | TRUE |
false |
EXIT_CODE_ON_MISMATCH |
Exit code to use when there's a mismatch, useful when combined with ADD_USERS and REMOVE_USERS to be used in a dry-run mode |
1 |
0 |
GITHUB_ORG |
GitHub Organization | chrisnstest |
null |
GITHUB_APP_ID |
GitHub App ID | 106341 |
null |
GITHUB_INSTALLATION_ID |
Github App Installation ID | 15627551 |
null |
GITHUB_PRIVATE_KEY |
Base64'd private key as downloaded from github application registration step | Zm9vCg== |
null |
IGNORED_USERS |
Comma separated list of user ids to totally ignore always, useful for owners of an org you don't want accidentally removed | owner1,owner2 |
null |