Skip to content

feat: add site-admin account creation mode for GHES#23

Open
c1-dev-bot[bot] wants to merge 1 commit into
mainfrom
feat/site-admin-create-user
Open

feat: add site-admin account creation mode for GHES#23
c1-dev-bot[bot] wants to merge 1 commit into
mainfrom
feat/site-admin-create-user

Conversation

@c1-dev-bot
Copy link
Copy Markdown

@c1-dev-bot c1-dev-bot Bot commented Jun 4, 2026

Summary

  • Adds account-creation-mode and site-admin-token config options to baton-github-enterprise
  • Passes the new config through to the underlying baton-github connector
  • Enables GHES customers with SSO/LDAP-enforced environments to provision accounts via POST /admin/users instead of email-based org invitations

Dependency Notice

This PR vendors unreleased changes from ConductorOne/baton-github#172.

Before merging this PR, the dependency PR must be reviewed, merged, and released. After the dependency is released, update go.mod to point to the released version and re-vendor before merging.

Fixes: CXH-1594

Test plan

  • Verify existing connector behavior (invitation mode) is unchanged
  • Test with --account-creation-mode=site_admin_create --site-admin-token=<token> against a GHES instance
  • Verify startup validation: missing site-admin-token with site_admin_create mode fails early
  • Verify invalid account-creation-mode values are rejected

Automated PR Notice

This PR was automatically created by c1-dev-bot as a potential implementation.

This code requires:

  • Human review of the implementation approach
  • Manual testing to verify correctness
  • Approval from the appropriate team before merging

feat: add site-admin account creation mode for GHES
856f9da 
Add account-creation-mode and site-admin-token config options to support
GHES environments where email-based org invitations are disallowed by
enterprise policy (e.g., SSO/LDAP-enforced environments).

When account-creation-mode is set to "site_admin_create", the connector
calls POST /admin/users via a site-admin PAT instead of sending org
invitation emails. The user is created immediately with no invitation
acceptance required.

Vendors unreleased baton-github changes from:
ConductorOne/baton-github#172

Fixes: CXH-1594
@c1-dev-bot c1-dev-bot Bot requested a review from a team June 4, 2026 20:59
@linear-code
Copy link
Copy Markdown

linear-code Bot commented Jun 4, 2026

CXH-1594

github-actions[bot]
github-actions Bot reviewed Jun 4, 2026
View reviewed changes
Comment thread vendor/github.com/conductorone/baton-github/pkg/connector/connector.go
siteAdminClient: gh.siteAdminClient,
instanceURL: gh.instanceURL,
}),
AppBuilder(gh.client, gh.orgCache),
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Bug: AppBuilder is called here but is not defined anywhere in the vendored code. Similarly, skipEntitlementsAndGrantsAnnotations (used on line 112 to initialize resourceTypeApp) is also missing. This will cause a compilation failure. The upstream baton-github PR likely added these in a new file (e.g., app.go) that was not included when vendoring. Re-run go mod vendor against the dependency to pull in all files.

github-actions[bot]
github-actions Bot reviewed Jun 4, 2026
View reviewed changes
Comment thread vendor/github.com/conductorone/baton-github/pkg/connector/invitation.go
orgs []string
client *github.Client
orgCache *orgNameCache
orgs []string
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Suggestion: instanceURL is stored on the struct and passed through InvitationBuilderParams but is never read in any method. If it's not needed for a future change in this PR, consider removing it to avoid dead code.

github-actions[bot]
github-actions Bot reviewed Jun 4, 2026
View reviewed changes
Comment thread pkg/connector/connector.go
Org: ghc.Org,
DirectCollaboratorsOnly: ghc.DirectCollaboratorsOnly,
AccountCreationMode: ghc.AccountCreationMode,
SiteAdminToken: ghc.SiteAdminToken,
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Suggestion: Once the vendoring issue is fixed and AppBuilder is available, DefaultCapabilitiesBuilder.ResourceSyncers() (line 46) should also include connector.AppBuilder(nil, nil) so the new app resource type is declared in the connector's capabilities.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 4, 2026

Connector PR Review: feat: add site-admin account creation mode for GHES

Blocking Issues: 1 | Suggestions: 2 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

This PR adds account-creation-mode and site-admin-token config fields to enable GHES account provisioning via POST /admin/users instead of email invitations. The config wiring, validation, and invitation builder logic are well-structured. However, the vendored baton-github dependency is incomplete — two symbols (AppBuilder and skipEntitlementsAndGrantsAnnotations) are referenced but not defined in any vendored file, which will cause a build failure. Re-vendoring the dependency should resolve this.

Security Issues

None found.

Correctness Issues

  • vendor/.../connector/connector.go:112,147: skipEntitlementsAndGrantsAnnotations and AppBuilder are called but not defined in the vendored code. The upstream dependency likely defines them in a file (e.g., app.go) that was not included during vendoring. The project will not compile.

Suggestions

  • vendor/.../connector/invitation.go:98: instanceURL field is added to invitationResourceType but never read — dead code.
  • pkg/connector/connector.go:28: Once vendoring is fixed, DefaultCapabilitiesBuilder.ResourceSyncers() should include the new AppBuilder so the app resource type is declared in capabilities.
Prompt for AI agents 
Verify each finding against the current code and only fix it if needed.

## Correctness Issues

In `vendor/github.com/conductorone/baton-github/pkg/connector/connector.go`:
- Around line 108-147: The `resourceTypeApp` variable uses `skipEntitlementsAndGrantsAnnotations` (line 112) and `AppBuilder` is called in `ResourceSyncers` (line 147), but neither function is defined in any vendored file. Run `go mod vendor` to re-vendor the `baton-github` dependency so all source files (likely including an `app.go` or similar) are included.

## Suggestions

In `vendor/github.com/conductorone/baton-github/pkg/connector/invitation.go`:
- Around line 98: The `instanceURL` field on `invitationResourceType` is set via `InvitationBuilderParams` but never read by any method. Remove the field from the struct and from `InvitationBuilderParams` if it is not needed, or this can be left for the upstream baton-github PR to address.

In `pkg/connector/connector.go`:
- Around line 46-58: After re-vendoring fixes the build, add `connector.AppBuilder(nil, nil)` to the `ResourceSyncers()` return slice in `DefaultCapabilitiesBuilder` so the `app` resource type appears in the connector's declared capabilities.

github-actions[bot]
github-actions Bot requested changes Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blocking issues found — see review comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants