Metadata-Version: 2.3
Name: otterdog
Version: 1.3.1
Summary: Tool to manage GitHub organizations and their repositories.
License: EPL-2.0
Keywords: infrastructure-as-code,supply-chain-security,github,gitops
Author: Thomas Neidhart
Author-email: thomas.neidhart@eclipse-foundation.org
Requires-Python: >=3.11,<4.0
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: Eclipse Public License 2.0 (EPL-2.0)
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Version Control
Classifier: Topic :: System :: Systems Administration
Classifier: Typing :: Typed
Requires-Dist: GitPython (>=3.1.47,<4.0)
Requires-Dist: JSONBender (>=0.9,<1.0)
Requires-Dist: PyNaCl (>=1.5,<2.0)
Requires-Dist: aiofiles (>=24.1,<25.0)
Requires-Dist: aiohttp (>=3.11,<4.0.0)
Requires-Dist: aiohttp-client-cache (>=0.12.3,<1.0.0)
Requires-Dist: aiohttp-retry (>=2.9,<3.0)
Requires-Dist: aioshutil (>=1.5,<2.0)
Requires-Dist: aiosqlite (>=0.20,<1.0)
Requires-Dist: asyncer (>=0.0.8,<1.0)
Requires-Dist: chevron (>=0.14,<1.0)
Requires-Dist: click (>=8.1,<9.0)
Requires-Dist: hvac (>=2.0,<3.0)
Requires-Dist: importlib_resources (>=6.4,<7.0)
Requires-Dist: jsonata-python (>=0.5,<1.0)
Requires-Dist: jsonschema (>=4.23,<5.0)
Requires-Dist: jwt (>=1.3,<2.0)
Requires-Dist: mintotp (>=0.3,<1.0)
Requires-Dist: playwright (>=1.44,<2.0)
Requires-Dist: requests (>=2.32,<3.0)
Requires-Dist: rich (>=13.9,<14.0)
Requires-Dist: rjsonnet (>=0.5,<1.0)
Project-URL: Changelog, https://github.com/eclipse-csi/otterdog/blob/main/CHANGELOG.md
Project-URL: Documentation, https://otterdog.readthedocs.io
Project-URL: Homepage, https://github.com/eclipse-csi/otterdog
Project-URL: Repository, https://github.com/eclipse-csi/otterdog
Description-Content-Type: text/markdown

<h1 align="center">

<a href="https://otterdog.eclipse.org">
  <img style="width: 350px;" src="https://raw.githubusercontent.com/eclipse-csi/.github/refs/heads/main/artwork/eclipse-otterdog/Logo%20Color%20-%20Transparent%20Bg.png">
</a>

</h1>

<p align="center">
  <a href="https://pypi.org/project/otterdog"><img alt="PyPI" src="https://img.shields.io/pypi/v/otterdog.svg?color=blue&maxAge=600" /></a>
  <a href="https://pypi.org/project/otterdog"><img alt="PyPI - Python Versions" src="https://img.shields.io/pypi/pyversions/otterdog.svg?maxAge=600" /></a>
  <a href="https://github.com/eclipse-csi/otterdog/blob/main/LICENSE"><img alt="EPLv2 License" src="https://img.shields.io/github/license/eclipse-csi/otterdog" /></a>
  <a href="https://github.com/eclipse-csi/otterdog/actions/workflows/build.yml?query=branch%3Amain"><img alt="Build Status on GitHub" src="https://github.com/eclipse-csi/otterdog/actions/workflows/build.yml/badge.svg?branch:main&workflow:Build" /></a>
  <a href="https://otterdog.readthedocs.io"><img alt="Documentation Status" src="https://readthedocs.org/projects/otterdog/badge/?version=latest" /></a><br>
  <a href="https://scorecard.dev/viewer/?uri=github.com/eclipse-csi/otterdog"><img alt="OpenSSF Scorecard" src="https://api.securityscorecards.dev/projects/github.com/eclipse-csi/otterdog/badge" /></a>
  <a href="https://www.bestpractices.dev/projects/9624"><img alt="OpenSSF Best Practices" src="https://www.bestpractices.dev/projects/9624/badge" /></a>
  <a href="https://slsa.dev"><img alt="OpenSSF SLSA Level 3" src="https://slsa.dev/images/gh-badge-level3.svg" /></a>
</p>

# Eclipse Otterdog

## Introduction

Otterdog is a tool to manage GitHub organizations at scale using a configuration as code approach.
It is actively developed by the Eclipse Foundation and used to manage its numerous projects hosted on GitHub.

## Quickstart

To install and use the cli part of otterdog you have to install the following:

* git (mandatory): install using `apt install git`
* otterdog (mandatory): install using `pipx install otterdog`
* bitwarden cli tool (optional): install using `snap install bw`
* pass cli tool (optional): install using `apt install pass`

[Otterdog Presentation @ Open Source Summit 2023](https://docs.google.com/presentation/d/1lLqbhDQf9s5U2A2TkcoFYA39qtODcSot2308vnKbkbA/edit?usp=sharing)

[Default Configuration used @ Eclipse Foundation](https://github.com/EclipseFdn/otterdog-defaults/)

## Documentation

The documentation is available at [otterdog.readthedocs.io](https://otterdog.readthedocs.io).

## Build instructions

### System requirements:

* python3.11+ (mandatory): e.g. install using `apt install python3` or use `pyenv install 3.12`
* git (mandatory): install using `apt install git`
* poetry >=2 (mandatory): install using `pipx install poetry>=2.0.1`
* bitwarden cli tool (optional): install using `snap install bw`
* pass cli tool (optional): install using `apt install pass`

### Building Steps

* Create a virtual python environment and install necessary python dependencies using poetry:

```console
$ make init
```

Running `make init` will also install `poetry` if it is not installed yet.

* Testing build

```console
$ ./otterdog.sh -h
```

## Quick Setup

To start using the cli part of `otterdog` right away on a specific organization you have to set up the following:

- define a default configuration to use, or use the following [default config](https://github.com/eclipse-csi/otterdog/blob/main/examples/template/otterdog-defaults.libsonnet) right away
- create a `otterdog.json` file that contains a list of GitHub organizations to manager and their respective credentials
- start managing your organizations using the cli

### Default configuration

The example [default config](https://github.com/eclipse-csi/otterdog/blob/main/examples/template/otterdog-defaults.libsonnet) has all supported features enabled and can be used right away.
However, it is advised to use a released tag instead of `main` to avoid incompatibilities.

### Otterdog configuration

Create a `otterdog.jsonnet` or `otterdog.json` file with the following content (replace bracketed values according to your setup):

```json
{
  "defaults": {
    "jsonnet": {
      "base_template": "https://github.com/eclipse-csi/otterdog#examples/template/otterdog-defaults.libsonnet@main",
      "config_dir": "orgs"
    }
  },
  "organizations": [
    {
      "name": "<project-name>",
      "github_id": "<github-id>",
      "credentials": {
        "provider": "plain",
        "api_token": "<GitHub PAT>",
        "username": "<Username>",
        "password": "<Password>",
        "twofa_seed": "<2FA TOTP seed>"
      }
    }
  ]
}
```

The name of the configuration file can be freely chosen (can be overridden with the __-c__ flag).
However, when named `otterdog.jsonnet` or `otterdog.json`, the cli tool will automatically detect and use that file if it is in the current working directory.

> [!IMPORTANT]
> In this example the `plain` provider is being used to access credentials to avoid setting up a `real` credential provider (see below) for a quick setup.
> However, the `plain` provider should *NOT* be used for anything else to avoid leakage of data in case the `otterdog.json` file is shared with other users.

### Environment Variables

#### OTTERDOG_CONFIG_ROOT

The `OTTERDOG_CONFIG_ROOT` environment variable allows you to specify a custom root directory for Otterdog configuration files and organization data. E.g: https://github.com/EclipseFdn/otterdog-configs

When set, Otterdog will:
- Search for configuration files (`otterdog.jsonnet` or `otterdog.json`) in this directory
- Use this directory as the base path for the `config_dir` (default: `orgs/`) containing organization configurations

**Usage:**

```bash
# Set the configuration root directory
export OTTERDOG_CONFIG_ROOT=/path/to/config

# Run otterdog commands - will automatically use the specified directory
otterdog fetch-config eclipse-csi
otterdog apply eclipse-csi
```
### Credentials

Otterdog needs certain credentials to access information from an organization and its repositories on GitHub:

* username / password / 2FA seed
* API token

The login / username / 2FA seed are required to access the web interface of GitHub in order to retrieve certain
settings that are not accessible via its rest / graphql API.

The GitHub api token needs to have the following scopes enabled:

* repo
* workflow
* admin:org
* admin:org_hook
* delete_repo

The credentials can be stored in different providers (bitwarden, pass).

#### Bitwarden

When using **bitwarden** to store the credentials, you need to enter a valid __item id__ as additional credential data:

```json
{
  "organizations": [
    {
      "name": "<org name>",
      "github_id": "<github org id>",
      "credentials": {
        "provider": "bitwarden",
        "item_id" : "<bitwarden item id>"
      }
    }
  ]
}
```

The item stored in bitwarden needs to contain the following information (a sample json output of such an item):

```json
{
  "object": "item",
  "id": "<bitwarden item id>",
  "name": "<item name>",
  "fields": [
    {
      "name": "api_token_admin",
      "value": "<github API token>"
    }
  ],
  "login": {
    "username": "<github username>",
    "password": "<github password>",
    "totp": "<2FA TOTP seed>"
  }
}
```

Mandatory items:

* Field with name "api_token_admin" and as value the GitHub token to access the organization
* __login.username__ of a user that can access the organization with enabled 2FA
* __login.password__ the password of that user
* __login.totp__ the 2FA TOTP seed

#### Pass

When using **pass** to store the credentials, you need to enter fully qualified pass names to access the various
required credential data:

```json
{
  "organizations": [
    {
      "name": "<org name>",
      "github_id": "<github org id>",
      "credentials": {
        "provider": "pass",
        "api_token": "<path/to/api_token>",
        "username": "<path/to/username>",
        "password": "<path/to/password>",
        "twofa_seed": "<path/to/2fa_seed>"
      }
    }
  ]
}
```

In case your password storage dir is not located at the default location, you can
configurate that in the `defaults`:

```json
{
  "defaults": {
    "pass": {
      "password_store_dir": "path/to/storage/dir"
    }
  }
}
```

As the `password_store_dir` might be different on different machines, you can also customize that in a separate `.otterdog-defaults.json` file:

```json
{
  "pass": {
    "password_store_dir": "path/to/storage/dir"
  }
}
```

