Updated OpsLevel GitHub App Permissions as Part of Service Creation
On August 9, 2022, OpsLevel will begin providing Early Access to one of our most anticipated new features - Service Creation. With Service Creation, you can create and manage a gallery of service templates that can be utilized by developers to easily spin up new services. When creating new services, OpsLevel will automatically register them in your catalog and publish them to your GitHub organization. This will allow you kick off service creation workflows directly in OpsLevel.
How Do I Get Started with Service Creation?
If you want Early Access to Service Creation, please notify your Customer Success Manager on or after August 9, 2022 to turn the feature on for you.
For Service Creation to integrate with GitHub, OpsLevel needs additional permissions from GitHub to create repos. You will be required to accept these new permissions on your existing GitHub OpsLevel App. We have a step-by-step guide on how to update your permissions in our documentation.
What Should I Know About these New GitHub Permissions?
In order for you to make use of Service Creation, OpsLevel will need to perform the following actions within your GitHub repository:
- Create a new repository and populate it with new service code
- Create pull/merge requests against existing repositories
We will not be taking any actions other than the ones listed above. We will update you should we ever need to expand these actions for future features.
Even though we only need to perform a limited set of actions, the GitHub permissions model is not granular enough to restrict us to only these required actions.
Specifically, we are requesting the following additional permissions in your GitHub organization:
- Read and write on “administration”
We need this to create new repos. - Read and write on “contents”
We need this to populate newly created repos with the templated repo content.
NOTE: Several of the APIs in this list require further permissions to be able to use them (e.g., the secrets, checks, and workflows endpoints). We have no plans at this time to use any of the APIs we haven’t explicitly mentioned as part of Service Creation. We will notify you if we ever change these plans. - Read and write on “pull requests”
We need this to create new pull requests., which we’ll use to help update templates. - Read and write on “checks”
We need this to create GitHub checks per pull request. This is for a future feature to see OpsLevel checks, including new checks around templates, directly in GitHub.
How will OpsLevel ensure these permissions are used securely and responsibly?
We appreciate that the GitHub app permissions we’re requesting are broad in scope. These permissions are broader than we’d like, but they are the minimum necessary for us to provide Service Creation.
On the security front, we have taken measures to ensure that the access you grant us to your GitHub organization cannot be accessed by malicious actors nor inadvertently leaked.
- All access tokens, including GitHub, are encrypted at rest and in transit. Our security page has more details on ciphers and versions.
- As part of our SOC2 compliance, all access to our production systems are logged.
- The background workers running the service creation logic are running exclusively within our secured infrastructure
From a product perspective, again, we currently plan to use these permissions only for the use cases around service creation:
- Creating new repositories
- Creating pull / merge requests against existing repositories
We take seriously the trust you have in us to properly protect this data. Customer security is at the forefront of our product development process. We will not introduce any new action without it being thoroughly reviewed by our Product and Engineering teams.
We are also always available to listen to feedback and concerns that you may have.
Use Branch Protection for additional protection
We empathize that despite taking all steps necessary to minimize risks with granting us these new permissions, there may still be some hesitancy or additional protections customers would like to have in place.
One such protection is enabling branch protection on all of your services’ repositories. We always recommend enabling this. Branch protection ensures that your default branches are protected and that no one, including OpsLevel, can do things against them like delete, force push, etc.
OpsLevel has a branch protection check that can assist in giving visibility into which service repos already have this in place.
What Are the Next Steps?
On August 9, 2022, OpsLevel admins will receive an email asking them to upgrade the permissions for their GitHub Apps. We encourage our customers to accept these permissions so they can take full advantage of Service Creation. However, if you do not accept the permissions, there will be no changes to your existing OpsLevel functionality outside of not being able to use the Service Creation feature.
We aim to have all of our customers upgraded to the new permissions by September 16th, 2022. If you have any hesitations or concerns, please reach out to your Customer Success Manager and we will be more than happy to schedule time and work through any issues.