Jon Jozwiak jonjozwiak

Attribute-based provisioning to GHEC with EntraID

One of the challenges moving to GitHub Enterprise Cloud (GHEC) Enterprise Managed Users (EMU) is the different in user provisioning compared to the typical LDAP setup with GitHub Enterprise Server. While AD groups have traditionally been used to determine who to provision, with an LDAP setup you can also create a main group that gates access. For example, a group called 'GitHubEnterprise' that determines whether a user is provisioned or not. And then other groups like TeamA, TeamB, and so on that are used for team membership. If an individual is in TeamA but not in the GitHubEnterprise group they do not get provisioned.

GitHub Enterprise Cloud users SAML or OIDC with SCIM provisioning. In SCIM provisioning, group-based filtering is not an option so the above scenario cannot be completed. However, [scoping filters](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts?pivots=app-pro

RHEL 8 Actions Runner with Podman

With the move to RHEL 8 Red Hat has removed Docker in place of Podman. Docker have changed docker-ce to experimental on RHEL. These steps enable using Podman tools with Actions since Actions cannot speak with Podman natively.

Podman comes with a couple issues when it comes to Actions that we need to workaround:

Actions relies on the docker socket
Podman does not create missing directories on container create. Docker does...

Below are the steps to setup Podman on RHEL 8 with an Actions runner. This assumes you already have a base RHEL 8 OS installed and connected to subsciption manager so you have access to repositories. Note this is not meant to be a definitive guide to all ways you can create a runner. This guide is using an organization-level runner and manually setting it up.

	gh api graphql --paginate -f owner='your-organization-here' -f repo='your-repo-here' -f affiliation='ALL' -f query='
	query ($owner: String!, $repo: String!, $affiliation: CollaboratorAffiliation!, $endCursor: String) {
	repository(owner:$owner, name:$repo) {
	name
	owner {
	login
	}
	collaborators(first: 100, affiliation: $affiliation, after: $endCursor) {
	pageInfo {
	endCursor

	import os
	import requests
	import csv

	# Read GitHub token from environment variable
	GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
	if not GITHUB_TOKEN:
	raise EnvironmentError("Please set the GITHUB_TOKEN environment variable.")

	GITHUB_GRAPHQL_URL = 'https://api.github.com/graphql'

	#!groovy
	import groovy.json.JsonOutput
	import groovy.json.JsonSlurper

	def label = "mypod-${UUID.randomUUID().toString()}"
	podTemplate(label: label, yaml: """
	spec:
	containers:
	- name: mvn
	image: maven:3.3.9-jdk-8

	#!/usr/bin/env bash

	# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
	#
	# Licensed under the Apache License, Version 2.0 (the "License"); you may not
	# use this file except in compliance with the License. You may obtain a copy
	# of the License at http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software distributed
	# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR

	apiVersion: apps/v1beta1
	kind: StatefulSet
	metadata:
	name: kafka
	spec:
	serviceName: kafka-hs
	replicas: 5
	podManagementPolicy: Parallel
	updateStrategy:
	type: RollingUpdate