Repo bootstrap should fail if cannot commit to repo before creating any resources on the cluster

[roi-codefresh]

Today if you try to bootstrap on an existing repo without proper write permissions or if the repository has branch protection rules we will only fail when trying to commit the manifests to the repository, which happens after we apply them to the cluster.

We need to fail early to prevent applying things to the cluster when we know we are going to fail to commit them later to the repository.

[aperullo]

@roi-codefresh If I use bootstrap --recover to recover from the repo containing the --app manifests then it still fails because of this check, despite not needing to write anything to the repo. Is there a workaround for this behavior?

[roi-codefresh]

@aperullo the --recover flag should run on the installation repo, where you have the bootstrap directory. Are you running it on the correct repository?

Do you mean it should allow to --recover even if you don't have write permissions on that repo because --recover should theoretically not commit anything?

[aperullo]

@roi-codefresh thanks for responding. Yes in my case I've already bootstrapped a repo with installation-mode flat. So repo and app are the same repository.

Giving it a token with write repository permission is a security concern for us because the autopilot secret becomes a credential template for the rest of the git source. (Which is still desirable, since we can then add other repos to watch after recover, we just don't want the token to have write permission over all of the git-server).

[roi-codefresh]

Got you! I think that makes sense that we wouldn't need to commit anything when recovering. So I guess it we should skip that write permission check there. I will reopen this issue to track and fix this.

Thanks for pointing that out :)

[aperullo]

You're the best! Thank you so much!

[roi-codefresh]

will be release with version v0.4.14