GitHub
VCS
Integrating with a VCS provider unlocks the ability to use GitOps workflows, import modules, enable Open Policy Agent, and much more.
The GitHub VCS Provider is authenticated by using the GitHub App feature. To enable the integration, go to "Integrations" and select GitHub. Enter the provider name prompted for and follow the flow:
Select the GitHub organization:
Then select the repositories that Scalr will need access to:
After clicking Install and Authorize you will be redirected back to Scalr.
Pull Request Comments
Scalr will automatically kick off dry runs (plan only) when a PR is opened against a branch that is linked to a Scalr workspace, commonly referred to GitOps automation. To be able to see the results in Github before merging the PR, you must enable the ability to do this in the Github integration at the account scope:
The result will be an overall summary of the pull request as well as a per-workspace report showing what resources have been created, updated, or deleted:
Scalr will also update the comments with the apply results after the run has finished. There is a separate checkbox, "Send the apply summary back to PR comments", that must be enabled for this to work.
Execute Runs from Pull Request Comments
To enable the ability to execute runs from pull request comments, you must enable it at the VCS provider integration level:
- Allow triggering plan-only runs from the PR comments: Any user who can comment on the PR can execute a
plan-only
run in Scalr. - Allow triggering plan $ apply runs from the PR comments: Any user who can comment on the PR can execute an
apply
run in Scalr.
When enabled, all users that have access to the pull request comment have the ability to execute a run. The workspace must have "Enabled VCS-driven dry runs" enabled in the settings for this feature to work.
Draft PRs
Draft pull requests are commonly used during the early development cycles to note when a pull request is in a draft state. Since draft pull requests are so early on in the development cycle, it's possible that you don't want a Scalr plan to execute when pull requests are opened. Scalr gives you the option to ignore draft pull requests by unchecking "Trigger runs for draft pull requests". As of right now, this will apply to any workspace that is linked to the VCS provider.
Github Actions
Scalr has a supported Github action that can be found here. The action uses the Terraform and Scalr CLI to kickoff Terraform workflows with Scalr set as the remote backend where the run is executed and state is stored.
Secret Scanning
Scalr supports the ability to do Github Secret Scanning to ensure Scalr API tokens do not end up visible in code stored in Github. To enable this, go to your GitHub settings, specifically Code Security and then Global Settings. In there, click Scan for non-provider patterns and under Custom patterns, select New Pattern:
Once you are on the new pattern page, enter the following:
Secret Format: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.eyJpc3MiOiJzY2Fscj[a-zA-Z0-9_-]_\.[a-zA-Z0-9_-]_
Before Secret: \A|[^0-9A-Za-z]
After Secret: \z|[^0-9A-Za-z]
Upon saving the information above the secret scanning will be enabled and you will be notified if any Scalr API tokens make it into your code stored in GitHub.
The token must have been created on or after April, 11th 2024 for the secret scanning to work correctly.
Note: Scalr is currently awaiting approval from GitHub to join the [GitHub Secret Scanning program](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-partner-program).
Updated about 2 months ago