feat: add script to create enterprise team tied to IdP group via SCIM#150
feat: add script to create enterprise team tied to IdP group via SCIM#150joshjohanning merged 2 commits intojoshjohanning:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new scripts/ automation script to create an enterprise team and link it to an IdP group via SCIM, with accompanying documentation in the scripts index README.
Changes:
- Added a bash script that searches SCIM groups (paginated) by display name and creates an enterprise team linked to the matching group ID
- Documented the new script in
scripts/README.mdwith prerequisites and usage
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| scripts/create-enterprise-team-tied-to-idp-group.sh | New script to find a SCIM group and create an enterprise team tied to it |
| scripts/README.md | Adds documentation entry for the new script |
Comments suppressed due to low confidence (2)
scripts/create-enterprise-team-tied-to-idp-group.sh:72
- If multiple SCIM groups share the same displayName, this jq expression will return multiple IDs (newline-separated). That will make GROUP_ID non-empty but invalid to send as a single group_id. Detect multiple matches and either fail with a clear error or consistently choose one (e.g., first match) with an explicit warning.
GROUP_ID=$(echo "$RESPONSE" | jq -r ".Resources[] | select(.displayName==\"$IDP_GROUP\") | .id")
# If found, break out of the loop
if [[ -n "$GROUP_ID" ]]; then
break
fi
scripts/create-enterprise-team-tied-to-idp-group.sh:65
- The SCIM list call doesn’t check the HTTP status or handle common API failures (401/403, 429 rate limiting, non-JSON error bodies). As written, jq may fail with a confusing message and the script will exit due to set -e. Capture the HTTP status (or use curl -fS/--fail-with-body) and print a meaningful error (including rate-limit guidance) before exiting.
RESPONSE=$(curl -s \
-H "Authorization: Bearer $GH_PAT" \
-H "Accept: application/scim+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"$API/scim/v2/enterprises/$ENTERPRISE/Groups?startIndex=$START_INDEX&count=$PAGE_SIZE")
| "$API/scim/v2/enterprises/$ENTERPRISE/Groups?startIndex=$START_INDEX&count=$PAGE_SIZE") | ||
|
|
||
| # Try to find the group in this page by matching the display name | ||
| GROUP_ID=$(echo "$RESPONSE" | jq -r ".Resources[] | select(.displayName==\"$IDP_GROUP\") | .id") |
There was a problem hiding this comment.
The jq filter interpolates $IDP_GROUP directly into the program string. If the group name contains quotes/backslashes/newlines, jq parsing can fail or behave unexpectedly. Pass the value via jq --arg and compare with select(.displayName == $idp) to make the lookup robust.
This issue also appears in the following locations of the same file:
- line 67
- line 60
| GROUP_ID=$(echo "$RESPONSE" | jq -r ".Resources[] | select(.displayName==\"$IDP_GROUP\") | .id") | |
| GROUP_ID=$(echo "$RESPONSE" | jq -r --arg idp "$IDP_GROUP" '.Resources[] | select(.displayName == $idp) | .id') |
| # Prerequisites: | ||
| # 1. curl and jq must be installed | ||
| # 2. Set the GH_PAT environment variable: export GH_PAT=ghp_abc | ||
| # - Token must have the `admin:enterprise` scope | ||
| # 3. SCIM/SSO must be configured for the enterprise with IdP groups provisioned | ||
| # |
There was a problem hiding this comment.
The script lists curl/jq as prerequisites but doesn’t verify they’re installed, which can lead to hard-to-diagnose failures later. Add explicit dependency checks (command -v curl/jq) early with install hints, consistent with other scripts in this repo.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This pull request adds a new script and documentation to automate the creation of GitHub enterprise teams tied to Identity Provider (IdP) groups via SCIM. The main focus is to streamline linking enterprise teams with IdP groups, improving automation for organizations with SCIM/SSO integration.