Merge branch 'main' into yes-process-env

graphql-hive · Jan 29, 2025 · f1e7a80 · f1e7a80
2 parents 70c3049 + 09c7719
commit f1e7a80
Show file tree

Hide file tree

Showing 93 changed files with 6,527 additions and 2,609 deletions.
diff --git a/.changeset/healthy-flies-wink.md b/.changeset/healthy-flies-wink.md
@@ -0,0 +1,5 @@
+---
+'hive': patch
+---
+
+Improves validation for operation durations and error totals. Prevents processing of invalid usage report data.
diff --git a/.changeset/tall-islands-occur.md b/.changeset/tall-islands-occur.md
@@ -0,0 +1,16 @@
+---
+'hive': major
+---
+
+Introduce new permission system for organization member roles.
+
+The existing scopes assigned to organization member users are now replaced with permissions.
+Using the permissions allows more granular access control to features in Hive.
+
+This introduces the following breaking changes:
+
+- Organization members with the default `Viewer` role, will experience downgraded permissions. They will no longer be able to create targets or projects.
+- Organization member roles permissions for inviting, removing or assigning roles have been revoked. A organization admin will have to re-apply the permissions to the desired member roles.
+- Organization members with permissions for managing invites, removing members, assigning roles or modifying roles are no longer restrained in granting more rights to other users. Please be aware when granting these permissions to a user role. We recommend only assigning these to member roles that are considered "Admin" user roles.
+
+A future update will introduce resource based access control (based on project, target, service or app deployments) for organization members.
diff --git a/.github/workflows/open-source-summary.yaml b/.github/workflows/open-source-summary.yaml
@@ -0,0 +1,25 @@
+name: License Summary
+on:
+  schedule:
+    - cron: '0 9 * * *'
+  workflow_dispatch: {}
+
+jobs:
+  update:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: setup environment
+        uses: ./.github/actions/setup
+        with:
+          codegen: false
+
+      - name: generate license summary
+        run: |
+          LICENSE_SUMMARY=$(npx license-checker --summary)
+          LICENSE_LIST=$(npx license-checker --list)
+          echo "\`\`\`\n$LICENSE_SUMMARY\n\n$LICENSE_LIST\n\`\`\`" >> $GITHUB_STEP_SUMMARY
diff --git a/integration-tests/testkit/flow.ts b/integration-tests/testkit/flow.ts
@@ -50,9 +50,10 @@ export function createOrganization(input: CreateOrganizationInput, authToken: st
                 slug
                 owner {
                   id
-                  organizationAccessScopes
-                  projectAccessScopes
-                  targetAccessScopes
+                  role {
+                    id
+                    permissions
+                  }
                 }
                 memberRoles {
                   id
@@ -178,9 +179,11 @@ export function joinOrganization(code: string, authToken: string) {
                 user {
                   id
                 }
-                organizationAccessScopes
-                projectAccessScopes
-                targetAccessScopes
+                role {
+                  id
+                  name
+                  permissions
+                }
               }
             }
           }
@@ -213,10 +216,8 @@ export function getOrganizationMembers(selector: OrganizationSelectorInput, auth
                 role {
                   id
                   name
+                  permissions
                 }
-                organizationAccessScopes
-                projectAccessScopes
-                targetAccessScopes
               }
             }
           }
@@ -664,9 +665,7 @@ export function createMemberRole(input: CreateMemberRoleInput, authToken: string
                 name
                 description
                 locked
-                organizationAccessScopes
-                projectAccessScopes
-                targetAccessScopes
+                permissions
               }
             }
           }
@@ -724,9 +723,7 @@ export function deleteMemberRole(input: DeleteMemberRoleInput, authToken: string
                 name
                 description
                 locked
-                organizationAccessScopes
-                projectAccessScopes
-                targetAccessScopes
+                permissions
               }
             }
           }
@@ -754,9 +751,7 @@ export function updateMemberRole(input: UpdateMemberRoleInput, authToken: string
               name
               description
               locked
-              organizationAccessScopes
-              projectAccessScopes
-              targetAccessScopes
+              permissions
             }
           }
           error {

diff --git a/integration-tests/testkit/seed.ts b/integration-tests/testkit/seed.ts
@@ -48,6 +48,7 @@ import {
   updateMemberRole,
   updateTargetValidationSettings,
 } from './flow';
+import * as GraphQLSchema from './gql/graphql';
 import {
   BreakingChangeFormula,
   OrganizationAccessScope,
@@ -185,10 +186,10 @@ export function initSeed() {
 
               return members;
             },
-            async projects() {
+            async projects(token = ownerToken) {
               const projectsResult = await getOrganizationProjects(
                 { organizationSlug: organization.slug },
-                ownerToken,
+                token,
               ).then(r => r.expectNoGraphQLErrors());
 
               const projects = projectsResult.organization?.organization.projects.nodes;
@@ -806,6 +807,7 @@ export function initSeed() {
                   input: {
                     roleId: string;
                     userId: string;
+                    resources?: GraphQLSchema.ResourceAssignmentInput;
                   },
                   options: { useMemberToken?: boolean } = {
                     useMemberToken: false,
@@ -816,6 +818,10 @@ export function initSeed() {
                       organizationSlug: organization.slug,
                       userId: input.userId,
                       roleId: input.roleId,
+                      resources: input.resources ?? {
+                        mode: GraphQLSchema.ResourceAssignmentMode.All,
+                        projects: [],
+                      },
                     },
                     options.useMemberToken ? memberToken : ownerToken,
                   ).then(r => r.expectNoGraphQLErrors());
@@ -847,11 +853,7 @@ export function initSeed() {
                   return memberRoleDeletionResult.deleteMemberRole.ok?.updatedOrganization;
                 },
                 async createMemberRole(
-                  scopes: {
-                    organization: OrganizationAccessScope[];
-                    project: ProjectAccessScope[];
-                    target: TargetAccessScope[];
-                  },
+                  permissions: Array<string>,
                   options: { useMemberToken?: boolean } = {
                     useMemberToken: false,
                   },
@@ -867,9 +869,7 @@ export function initSeed() {
                       organizationSlug: organization.slug,
                       name,
                       description: 'some description',
-                      organizationAccessScopes: scopes.organization,
-                      projectAccessScopes: scopes.project,
-                      targetAccessScopes: scopes.target,
+                      selectedPermissions: permissions,
                     },
                     options.useMemberToken ? memberToken : ownerToken,
                   ).then(r => r.expectNoGraphQLErrors());
@@ -908,11 +908,7 @@ export function initSeed() {
                     name: string;
                     description: string;
                   },
-                  scopes: {
-                    organization: OrganizationAccessScope[];
-                    project: ProjectAccessScope[];
-                    target: TargetAccessScope[];
-                  },
+                  permissions: Array<string>,
                   options: { useMemberToken?: boolean } = {
                     useMemberToken: false,
                   },
@@ -923,9 +919,7 @@ export function initSeed() {
                       roleId: role.id,
                       name: role.name,
                       description: role.description,
-                      organizationAccessScopes: scopes.organization,
-                      projectAccessScopes: scopes.project,
-                      targetAccessScopes: scopes.target,
+                      selectedPermissions: permissions,
                     },
                     options.useMemberToken ? memberToken : ownerToken,
                   ).then(r => r.expectNoGraphQLErrors());