feat: implement service accounts

ee/rbac/lib/internal_api/audit.pb.ex

@@ -67,6 +67,7 @@ defmodule InternalApi.Audit.Event.Resource do
   field(:Okta, 17)
   field(:FlakyTests, 18)
   field(:RBACRole, 19)
+  field(:ServiceAccount, 20)
 end
 
 defmodule InternalApi.Audit.Event.Operation do

ee/rbac/lib/internal_api/organization.pb.ex

@@ -46,6 +46,7 @@ defmodule InternalApi.Organization.DescribeRequest do
   field(:org_id, 1, type: :string, json_name: "orgId")
   field(:org_username, 2, type: :string, json_name: "orgUsername")
   field(:include_quotas, 3, type: :bool, json_name: "includeQuotas")
+  field(:soft_deleted, 4, type: :bool, json_name: "softDeleted")
 end
 
 defmodule InternalApi.Organization.DescribeResponse do
@@ -63,6 +64,7 @@ defmodule InternalApi.Organization.DescribeManyRequest do
   use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
 
   field(:org_ids, 1, repeated: true, type: :string, json_name: "orgIds")
+  field(:soft_deleted, 2, type: :bool, json_name: "softDeleted")
 end
 
 defmodule InternalApi.Organization.DescribeManyResponse do
@@ -83,6 +85,7 @@ defmodule InternalApi.Organization.ListRequest do
   field(:order, 4, type: InternalApi.Organization.ListRequest.Order, enum: true)
   field(:page_size, 5, type: :int32, json_name: "pageSize")
   field(:page_token, 6, type: :string, json_name: "pageToken")
+  field(:soft_deleted, 7, type: :bool, json_name: "softDeleted")
 end
 
 defmodule InternalApi.Organization.ListResponse do
@@ -369,6 +372,14 @@ defmodule InternalApi.Organization.DestroyRequest do
   field(:org_id, 1, type: :string, json_name: "orgId")
 end
 
+defmodule InternalApi.Organization.RestoreRequest do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:org_id, 1, type: :string, json_name: "orgId")
+end
+
 defmodule InternalApi.Organization.Organization do
   @moduledoc false
 
@@ -620,6 +631,15 @@ defmodule InternalApi.Organization.OrganizationDailyUpdate do
   field(:timestamp, 11, type: Google.Protobuf.Timestamp)
 end
 
+defmodule InternalApi.Organization.OrganizationRestored do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:org_id, 1, type: :string, json_name: "orgId")
+  field(:timestamp, 2, type: Google.Protobuf.Timestamp)
+end
+
 defmodule InternalApi.Organization.OrganizationService.Service do
   @moduledoc false
 
@@ -701,6 +721,8 @@ defmodule InternalApi.Organization.OrganizationService.Service do
 
   rpc(:Destroy, InternalApi.Organization.DestroyRequest, Google.Protobuf.Empty)
 
+  rpc(:Restore, InternalApi.Organization.RestoreRequest, Google.Protobuf.Empty)
+
   rpc(
     :RepositoryIntegrators,
     InternalApi.Organization.RepositoryIntegratorsRequest,

ee/rbac/lib/internal_api/projecthub.pb.ex

@@ -39,6 +39,7 @@ defmodule InternalApi.Projecthub.Project.Spec.Repository.RunType do
   field(:TAGS, 1)
   field(:PULL_REQUESTS, 2)
   field(:FORKED_PULL_REQUESTS, 3)
+  field(:DRAFT_PULL_REQUESTS, 4)
 end
 
 defmodule InternalApi.Projecthub.Project.Spec.Repository.Status.PipelineFile.Level do
@@ -391,6 +392,7 @@ defmodule InternalApi.Projecthub.ListRequest do
   field(:pagination, 2, type: InternalApi.Projecthub.PaginationRequest)
   field(:owner_id, 3, type: :string, json_name: "ownerId")
   field(:repo_url, 4, type: :string, json_name: "repoUrl")
+  field(:soft_deleted, 5, type: :bool, json_name: "softDeleted")
 end
 
 defmodule InternalApi.Projecthub.ListResponse do
@@ -437,6 +439,7 @@ defmodule InternalApi.Projecthub.DescribeRequest do
   field(:id, 2, type: :string)
   field(:name, 3, type: :string)
   field(:detailed, 4, type: :bool)
+  field(:soft_deleted, 5, type: :bool, json_name: "softDeleted")
 end
 
 defmodule InternalApi.Projecthub.DescribeResponse do
@@ -455,6 +458,7 @@ defmodule InternalApi.Projecthub.DescribeManyRequest do
 
   field(:metadata, 1, type: InternalApi.Projecthub.RequestMeta)
   field(:ids, 2, repeated: true, type: :string)
+  field(:soft_deleted, 3, type: :bool, json_name: "softDeleted")
 end
 
 defmodule InternalApi.Projecthub.DescribeManyResponse do
@@ -522,6 +526,23 @@ defmodule InternalApi.Projecthub.DestroyResponse do
   field(:metadata, 1, type: InternalApi.Projecthub.ResponseMeta)
 end
 
+defmodule InternalApi.Projecthub.RestoreRequest do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:metadata, 1, type: InternalApi.Projecthub.RequestMeta)
+  field(:id, 2, type: :string)
+end
+
+defmodule InternalApi.Projecthub.RestoreResponse do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:metadata, 1, type: InternalApi.Projecthub.ResponseMeta)
+end
+
 defmodule InternalApi.Projecthub.UsersRequest do
   @moduledoc false
 
@@ -557,6 +578,7 @@ defmodule InternalApi.Projecthub.CheckDeployKeyResponse.DeployKey do
   field(:title, 1, type: :string)
   field(:fingerprint, 2, type: :string)
   field(:created_at, 3, type: Google.Protobuf.Timestamp, json_name: "createdAt")
+  field(:public_key, 4, type: :string, json_name: "publicKey")
 end
 
 defmodule InternalApi.Projecthub.CheckDeployKeyResponse do
@@ -589,6 +611,7 @@ defmodule InternalApi.Projecthub.RegenerateDeployKeyResponse.DeployKey do
   field(:title, 1, type: :string)
   field(:fingerprint, 2, type: :string)
   field(:created_at, 3, type: Google.Protobuf.Timestamp, json_name: "createdAt")
+  field(:public_key, 4, type: :string, json_name: "publicKey")
 end
 
 defmodule InternalApi.Projecthub.RegenerateDeployKeyResponse do
@@ -718,6 +741,24 @@ defmodule InternalApi.Projecthub.FinishOnboardingResponse do
   field(:metadata, 1, type: InternalApi.Projecthub.ResponseMeta)
 end
 
+defmodule InternalApi.Projecthub.RegenerateWebhookSecretRequest do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:metadata, 1, type: InternalApi.Projecthub.RequestMeta)
+  field(:id, 2, type: :string)
+end
+
+defmodule InternalApi.Projecthub.RegenerateWebhookSecretResponse do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:metadata, 1, type: InternalApi.Projecthub.ResponseMeta)
+  field(:secret, 2, type: :string)
+end
+
 defmodule InternalApi.Projecthub.ProjectCreated do
   @moduledoc false
 
@@ -738,6 +779,16 @@ defmodule InternalApi.Projecthub.ProjectDeleted do
   field(:org_id, 3, type: :string, json_name: "orgId")
 end
 
+defmodule InternalApi.Projecthub.ProjectRestored do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:project_id, 1, type: :string, json_name: "projectId")
+  field(:timestamp, 2, type: Google.Protobuf.Timestamp)
+  field(:org_id, 3, type: :string, json_name: "orgId")
+end
+
 defmodule InternalApi.Projecthub.ProjectUpdated do
   @moduledoc false
 
@@ -786,6 +837,8 @@ defmodule InternalApi.Projecthub.ProjectService.Service do
 
   rpc(:Destroy, InternalApi.Projecthub.DestroyRequest, InternalApi.Projecthub.DestroyResponse)
 
+  rpc(:Restore, InternalApi.Projecthub.RestoreRequest, InternalApi.Projecthub.RestoreResponse)
+
   rpc(:Users, InternalApi.Projecthub.UsersRequest, InternalApi.Projecthub.UsersResponse)
 
   rpc(
@@ -812,6 +865,12 @@ defmodule InternalApi.Projecthub.ProjectService.Service do
     InternalApi.Projecthub.RegenerateWebhookResponse
   )
 
+  rpc(
+    :RegenerateWebhookSecret,
+    InternalApi.Projecthub.RegenerateWebhookSecretRequest,
+    InternalApi.Projecthub.RegenerateWebhookSecretResponse
+  )
+
   rpc(
     :ChangeProjectOwner,
     InternalApi.Projecthub.ChangeProjectOwnerRequest,

ee/rbac/lib/internal_api/rbac.pb.ex

@@ -5,6 +5,7 @@ defmodule InternalApi.RBAC.SubjectType do
 
   field(:USER, 0)
   field(:GROUP, 1)
+  field(:SERVICE_ACCOUNT, 2)
 end
 
 defmodule InternalApi.RBAC.Scope do

ee/rbac/lib/internal_api/repository.pb.ex

@@ -88,6 +88,7 @@ defmodule InternalApi.Repository.DeployKey do
   field(:title, 1, type: :string)
   field(:fingerprint, 2, type: :string)
   field(:created_at, 3, type: Google.Protobuf.Timestamp, json_name: "createdAt")
+  field(:public_key, 4, type: :string, json_name: "publicKey")
 end
 
 defmodule InternalApi.Repository.DescribeRemoteRepositoryRequest do
@@ -370,6 +371,7 @@ defmodule InternalApi.Repository.Repository do
   field(:whitelist, 11, type: InternalApi.Projecthub.Project.Spec.Repository.Whitelist)
   field(:hook_id, 12, type: :string, json_name: "hookId")
   field(:default_branch, 13, type: :string, json_name: "defaultBranch")
+  field(:connected, 14, type: :bool)
 end
 
 defmodule InternalApi.Repository.RemoteRepository do
@@ -630,6 +632,38 @@ defmodule InternalApi.Repository.VerifyWebhookSignatureResponse do
   field(:valid, 1, type: :bool)
 end
 
+defmodule InternalApi.Repository.ClearExternalDataRequest do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:repository_id, 1, type: :string, json_name: "repositoryId")
+end
+
+defmodule InternalApi.Repository.ClearExternalDataResponse do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:repository, 1, type: InternalApi.Repository.Repository)
+end
+
+defmodule InternalApi.Repository.RegenerateWebhookSecretRequest do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:repository_id, 1, type: :string, json_name: "repositoryId")
+end
+
+defmodule InternalApi.Repository.RegenerateWebhookSecretResponse do
+  @moduledoc false
+
+  use Protobuf, syntax: :proto3, protoc_gen_elixir_version: "0.13.0"
+
+  field(:secret, 1, type: :string)
+end
+
 defmodule InternalApi.Repository.RepositoryService.Service do
   @moduledoc false
 
@@ -732,6 +766,18 @@ defmodule InternalApi.Repository.RepositoryService.Service do
     InternalApi.Repository.VerifyWebhookSignatureRequest,
     InternalApi.Repository.VerifyWebhookSignatureResponse
   )
+
+  rpc(
+    :ClearExternalData,
+    InternalApi.Repository.ClearExternalDataRequest,
+    InternalApi.Repository.ClearExternalDataResponse
+  )
+
+  rpc(
+    :RegenerateWebhookSecret,
+    InternalApi.Repository.RegenerateWebhookSecretRequest,
+    InternalApi.Repository.RegenerateWebhookSecretResponse
+  )
 end
 
 defmodule InternalApi.Repository.RepositoryService.Stub do

ee/rbac/lib/internal_api/user.pb.ex

@@ -56,6 +56,7 @@ defmodule InternalApi.User.User.CreationSource do
 
   field(:NOT_SET, 0)
   field(:OKTA, 1)
+  field(:SERVICE_ACCOUNT, 2)
 end
 
 defmodule InternalApi.User.ListFavoritesRequest do

ee/rbac/lib/rbac/grpc_servers/rbac_server.ex

@@ -371,7 +371,7 @@ defmodule Rbac.GrpcServers.RbacServer do
       total_pages: total_pages,
       members:
         Enum.map(subject_role_bindings, fn binding ->
-          subject_type = if binding.type == "user", do: :USER, else: :GROUP
+          subject_type = binding.type |> String.upcase() |> String.to_existing_atom()
 
           %RBAC.ListMembersResponse.Member{
             subject: %RBAC.Subject{

github_hooks/db/migrate/20250718124232_create_service_accounts.rb

@@ -0,0 +1,12 @@
+class CreateServiceAccounts < ActiveRecord::Migration[6.1]
+  def change
+    create_table :service_accounts, id: false do |t|
+      t.uuid :id, primary_key: true, null: false
+      t.string :description
+      t.uuid :creator_id, null: false
+    end
+
+    add_foreign_key :service_accounts, :users, column: :id, on_delete: :cascade
+    add_foreign_key :service_accounts, :users, column: :creator_id, on_delete: :nullify
+  end
+end

guard/Makefile

@@ -35,6 +35,7 @@ START_GPRC_GUARD_API?="true"
 START_GRPC_AUTH_API?="true"
 START_GRPC_USER_API?="true"
 START_GRPC_ORGANIZATION_API?="true"
+START_GRPC_SERVICE_ACCOUNT_API?="true"
 START_INSTANCE_CONFIG?="true"
 INSTANCE_CONFIG_API?="true"
 START_GRPC_INSTANCE_CONFIG_API="true"
@@ -66,6 +67,7 @@ CONTAINER_ENV_VARS= \
   -e START_GRPC_AUTH_API=$(START_GRPC_AUTH_API) \
   -e START_GRPC_USER_API=$(START_GRPC_USER_API) \
   -e START_GRPC_ORGANIZATION_API=$(START_GRPC_ORGANIZATION_API) \
+  -e START_GRPC_SERVICE_ACCOUNT_API=$(START_GRPC_SERVICE_ACCOUNT_API) \
   -e START_INSTANCE_CONFIG=$(START_INSTANCE_CONFIG) \
   -e INSTANCE_CONFIG_API=$(INSTANCE_CONFIG_API) \
   -e START_GRPC_INSTANCE_CONFIG_API=$(START_GRPC_INSTANCE_CONFIG_API) \
@@ -141,4 +143,6 @@ endif
 		/home/protoc/source/encryptor.proto
 	docker run --rm -v $(PWD):/home/protoc/code -v $(TMP_INTERNAL_REPO_DIR):/home/protoc/source renderedtext/protoc:$(RT_PROTOC_IMG_VSN) protoc -I /home/protoc/source -I /home/protoc/source/include --elixir_out=plugins=grpc:$(RELATIVE_INTERNAL_PB_OUTPUT_DIR) --plugin=/root/.mix/escripts/protoc-gen-elixir \
 		/home/protoc/source/instance_config.proto
+	docker run --rm -v $(PWD):/home/protoc/code -v $(TMP_INTERNAL_REPO_DIR):/home/protoc/source renderedtext/protoc:$(RT_PROTOC_IMG_VSN) protoc -I /home/protoc/source -I /home/protoc/source/include --elixir_out=plugins=grpc:$(RELATIVE_INTERNAL_PB_OUTPUT_DIR) --plugin=/root/.mix/escripts/protoc-gen-elixir \
+		/home/protoc/source/service_account.proto
 	rm -rf $(TMP_INTERNAL_REPO_DIR)

guard/docker-compose.yml

@@ -50,6 +50,7 @@ services:
       START_GPRC_GUARD_API: "true"
       START_GRPC_AUTH_API: "true"
       START_GRPC_USER_API: "true"
+      START_GRPC_SERVICE_ACCOUNT_API: "true"
       START_GRPC_ORGANIZATION_API: "true"
       START_GRPC_INSTANCE_CONFIG_API: "true"
       INSTANCE_CONFIG_API: "true"

guard/helm/templates/service.yaml

@@ -100,6 +100,25 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  name: "{{ .Chart.Name }}-service-account-api"
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: NodePort
+  selector:
+    {{- if .Values.global.development.minimalDeployment }}
+    app: "{{ .Chart.Name }}"
+    {{- else }}
+    app: "{{ .Chart.Name }}-user-api"
+    {{- end }}
+  ports:
+    - name: grpc
+      port: 50051
+      targetPort: 50051
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
 metadata:
   name: "{{ .Chart.Name }}-organization-api"
   namespace: {{ .Release.Namespace }}

guard/helm/templates/user-api-dpl.yaml

@@ -89,6 +89,8 @@ spec:
               value: "false"
             - name: START_GRPC_USER_API
               value: "true"
+            - name: START_GRPC_SERVICE_ACCOUNT_API
+              value: "true"
             - name: START_GPRC_HEALTH_CHECK
               value: "true"
             - name: RABBIT_CONSUMER
@@ -115,6 +117,11 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.global.rabbitmq.secretName }}
                   key: amqp-url
+            - name: BASE_DOMAIN
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ .Values.global.domain.configMapName }}
+                  key: BASE_DOMAIN
             - name: LOG_LEVEL
               value: {{ .Values.userApi.logging.level | quote }}
 {{- if .Values.global.statsd.enabled }}