Investigate using organisation secret for Stata License key

[Jongmassey]

Timebox: 1/2 day

We currently require read permission to the opensafely/server-instructions repo such that OpenSAFELY CLI can contact it to get the Stata license key.

research-template/.devcontainer/devcontainer.json

Lines 23 to 26 in c083d8f

	"repositories": {
	"opensafely/server-instructions": {
	"permissions": {
	"contents": "read"

This was added in order to enable Stata actions to be run locally within a codespace/interactive Stata development via opensafely exec. On starting a new codespace, this configuration causes a users to be prompted to authorise access to this permission request. This has caused some confusion with new users, particularly those going through the Getting Started Guide. There is a troubleshooting codespaces entry for this prompt in the docs, but it's not front-and-centre.

It would be nice if we could remove this permission and corresponding prompt.

job-runner (which is vendored into the CLI) looks for a environment variable containing the key, and if this is not set it will try to contact the github repo in question.

https://github.com/opensafely-core/job-runner/blob/a4e9cb4a1ff57f9751b970c4f6530d95755ff6bd/jobrunner/cli/local_run.py#L336-L340

There is an opensafely organisation GitHub Action Secret (thanks, @lucyb ) which contains the stata license key which is used to enable running of Stata actions in CI.

Also available are GitHub Codespace Secrets - if we were to set an opensafely organisation codespace STATA_LICENSE secret, this would set this as an env var for all codespaces started from repos in the opensafely organisation. By setting this env var, I believe we would no longer need the cross-repository permission to be configured here.

HOWEVER

Note: Organization-level secrets and variables are not accessible by private repositories for GitHub Free. For more information about upgrading your GitHub subscription

we might not be on the right plan for this I've been informed we have Github Team not Free so this should be OK

[Jongmassey]

@bloodearnest has pointed out to me that we'd need to update the Stata License playbook to include the codespace secret

[Jongmassey]

We currently don't have any organisation codespace secrets set

(thanks @lucyb for the image), we could easily set a test one to check my assumptions here

[Jongmassey]

[Jongmassey]

On my own account, I have to select which repositories have access to my user codespace secret - repositories created from this template do not inherit this

[Jongmassey]

@lucyb could you see if for an organisation-level codespace secret, it is still necessary to individually select which repos have access ?

Thanks to @inglesp , we can see that we grant access to this secret to All Repositories, Private Repositories, or selected repositories.

[Jongmassey]

This seems like a viable approach. We should do a test implementation of this to check our assumptions regarding opensafely CLI, and repositories created outside of the opensafely org (by members and non-members of the org)