cli/create-github-app: Add members to permission selection list

Signed-off-by: Johan Haals <johan.haals@gmail.com>

.changeset/green-parents-pay.md

@@ -0,0 +1,5 @@
+---
+'@backstage/cli': patch
+---
+
+Improved the `create-github-app` permissions selection prompt by converting it into a multi-select with clearer descriptions. The `members` permission is now also included in the list which is required for ingesting user data into the catalog.

packages/cli/src/commands/create-github-app/GithubCreateAppServer.ts

@@ -19,18 +19,6 @@ import openBrowser from 'react-dev-utils/openBrowser';
 import { request } from '@octokit/request';
 import express, { Express, Request, Response } from 'express';
 
-const MANIFEST_DATA = {
-  default_events: ['create', 'delete', 'push', 'repository'],
-  default_permissions: {
-    contents: 'read',
-    metadata: 'read',
-  },
-  name: 'Backstage-<changeme>',
-  url: 'https://backstage.io',
-  description: 'GitHub App for Backstage',
-  public: false,
-};
-
 const FORM_PAGE = `
 <html>
   <body>
@@ -62,17 +50,17 @@ export class GithubCreateAppServer {
 
   static async run(options: {
     org: string;
-    readWrite: boolean;
+    permissions: string[];
   }): Promise<GithubAppConfig> {
     const encodedOrg = encodeURIComponent(options.org);
     const actionUrl = `https://github.com/organizations/${encodedOrg}/settings/apps/new`;
-    const server = new GithubCreateAppServer(actionUrl, options.readWrite);
+    const server = new GithubCreateAppServer(actionUrl, options.permissions);
     return server.start();
   }
 
   private constructor(
     private readonly actionUrl: string,
-    private readonly readWrite: boolean,
+    private readonly permissions: string[],
   ) {
     const webhookId = crypto
       .randomBytes(15)
@@ -121,21 +109,29 @@ export class GithubCreateAppServer {
     if (!baseUrl) {
       throw new Error('baseUrl is not set');
     }
+
     const manifest = {
-      ...MANIFEST_DATA,
+      default_events: ['create', 'delete', 'push', 'repository'],
+      default_permissions: {
+        metadata: 'read',
+        ...(this.permissions.includes('members') && { members: 'read' }),
+        ...(this.permissions.includes('read') && { contents: 'read' }),
+        ...(this.permissions.includes('write') && {
+          contents: 'write',
+          actions: 'write',
+        }),
+      },
+      name: 'Backstage-<changeme>',
+      url: 'https://backstage.io',
+      description: 'GitHub App for Backstage',
+      public: false,
       redirect_url: `${baseUrl}/callback`,
       hook_attributes: {
         url: this.webhookUrl,
         active: false,
       },
-      ...(this.readWrite && {
-        default_permissions: {
-          contents: 'write',
-          actions: 'write',
-          metadata: 'read',
-        },
-      }),
     };
+
     const manifestJson = JSON.stringify(manifest).replace(/\"/g, '&quot;');
 
     let body = FORM_PAGE;

packages/cli/src/commands/create-github-app/index.ts

@@ -26,19 +26,38 @@ import openBrowser from 'react-dev-utils/openBrowser';
 // due to lacking support for creating apps from manifests.
 // https://docs.github.com/en/free-pro-team@latest/developers/apps/creating-a-github-app-from-a-manifest
 export default async (org: string) => {
-  const answers: Answers = await inquirer.prompt([
-    {
-      type: 'list',
-      name: 'appType',
-      message: chalk.blue('What will the app be used for [required]'),
-      choices: ['Read and Write (needed by Software Templates)', 'Read only'],
-    },
-  ]);
-  const readWrite = answers.appType !== 'Read only';
+  const answers: Answers = await inquirer.prompt({
+    name: 'appType',
+    type: 'checkbox',
+    message:
+      'Select permissions [required] (these can be changed later but then require approvals in all installations)',
+    choices: [
+      {
+        name: 'Read access to content (required by Software Catalog to ingest data from repositories)',
+        value: 'read',
+        checked: true,
+      },
+      {
+        name: 'Read access to members (required by Software Catalog to ingest GitHub teams)',
+        value: 'members',
+        checked: true,
+      },
+      {
+        name: 'Read and Write to content and actions (required by Software Templates to create new repositories)',
+        value: 'write',
+      },
+    ],
+  });
+
+  if (answers.appType.length === 0) {
+    console.log(chalk.red('You must select at least one permission'));
+    process.exit(1);
+  }
+
   await verifyGithubOrg(org);
   const { slug, name, ...config } = await GithubCreateAppServer.run({
     org,
-    readWrite,
+    permissions: answers.appType,
   });
 
   const fileName = `github-app-${slug}-credentials.yaml`;