From dfcf59bb65213237137861cadc583b7e6b52489b Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Fri, 20 Mar 2026 14:10:36 -0400 Subject: [PATCH] Update github-apps README with actual App IDs, install IDs, and agent mapping Co-Authored-By: Paperclip --- github-apps/README.md | 47 +++++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/github-apps/README.md b/github-apps/README.md index e8f2c51..d0f7cd0 100644 --- a/github-apps/README.md +++ b/github-apps/README.md @@ -1,36 +1,39 @@ -# GitHub App Manifests +# GitHub App Manifests — privilegedescalation Role-based GitHub Apps for the `privilegedescalation` org. Each role has scoped permissions to enforce the PR workflow at the GitHub level. -## Roles +## Apps -| App | Purpose | Merge | Approve | Push | -|-----|---------|-------|---------|------| -| `privilegedescalation-ceo` | PR merging, org admin | yes | no | yes | -| `privilegedescalation-cto` | PR review/approval, engineering oversight | no | yes | yes | -| `privilegedescalation-qa` | PR review/approval, bug filing, CI monitoring | no | yes | read-only | -| `privilegedescalation-engineer` | Code push, PR creation, CI execution | no | no | yes | +| Role | App Name | App ID | Install ID | PEM | Permissions | +|------|----------|--------|------------|-----|-------------| +| CEO | `privilegedescalation-ceo` | `3140977` | `117774329` | `privilegedescalation-ceo.pem` | administration:write, contents:write, issues:write, pull_requests:write, actions:read | +| CTO | `privilegedescalation-cto` | `3141071` | `117776738` | `privilegedescalation-cto.pem` | contents:write, issues:write, pull_requests:write, actions:write, workflows:write | +| QA | `privilegedescalation-qa` | `3141386` | `117784524` | `privilegedescalation-qa.pem` | contents:read, issues:write, pull_requests:write, actions:read | +| Engineer | `privilegedescalation-engineer` | `3141264` | `117781238` | `privilegedescalation-engineer.pem` | contents:write, issues:write, pull_requests:write, actions:write, pages:write | -## Setup +## Agent → App Mapping -1. Go to `https://github.com/organizations/privilegedescalation/settings/apps/new` -2. Paste the JSON from the corresponding manifest file -3. Save the private key PEM -4. Add the PEM to the `agent-github-pems` sealed secret in `cpfarhood/kubernetes` -5. Install the app on the `privilegedescalation` org (all repos) -6. Update agent CONFIG.md files with the new App ID and PEM path +| Agent | Role | App | +|-------|------|-----| +| Countess von Containerheim (CEO) | ceo | `privilegedescalation-ceo` | +| Null Pointer Nancy (CTO) | cto | `privilegedescalation-cto` | +| Addison Addington (CMO) | ceo | `privilegedescalation-ceo` | +| Hugh Hackman (VP devops) | engineer | `privilegedescalation-engineer` | +| Gandalf the Greybeard | engineer | `privilegedescalation-engineer` | +| Regression Regina (QA) | qa | `privilegedescalation-qa` | +| Samuel Stinkpost | engineer | `privilegedescalation-engineer` | + +## PEM Location + +`/paperclip/secrets/github-pems/privilegedescalation-.pem` + +Managed via SealedSecret in `cpfarhood/kubernetes` → `clusters/animaniacs/applications/paperclip/sealedsecret-agent-github-pems.yaml` ## Branch Protection -After apps are created, set up branch protection rulesets on each repo: +Rulesets should be configured on each repo: - Require PRs before merging to main - Require 2 approvals (from CTO + QA apps) - Restrict who can merge to the CEO app - Require status checks to pass - -## PEM Naming Convention - -`/paperclip/secrets/github-pems/privilegedescalation-.pem` - -Example: `privilegedescalation-ceo.pem`, `privilegedescalation-cto.pem`, `privilegedescalation-qa.pem`, `privilegedescalation-engineer.pem`