Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No caching and add use of githubapp #837

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

No caching and add use of githubapp #837

wants to merge 4 commits into from

Conversation

cdoughty-r7
Copy link

Tldr; This allows GHPRB to constantly pull updated credentials and also gives the option to use GithubAppCredentials from github source branch which handles rotating the app installation token every hour.

Why:

  1. Wanted the ability to rotate Github keys used in Jenkins
  2. GHPRB was caching in 2 ways: it was caching the credential IDs associated with the GHPRB and it was caching the token associated with each credential ID at the time a new trigger was created/updated (not when the credential itself was updated though)

Other interest we found:
#812
#813

How:

  1. Rebuild the connection with Github from GHPRB every time it interacts with the API in order to get the most updated credential ID from GHPRB config and the most updated secret associated with that ID in credentials store
  2. Use GithubAppCredentials from github source branch plugin which handles token refresh of application installation tokens (they rotate every hour)
  3. If GHPRB has a credential of instance GithubAppCredential, use Connection class from github source branch plugin vs the builder in ghprb-plugin to generate Github object

Benefits:

  1. GHPRB is no longer caching Github credentials which allows for easy/programatic update
  2. Github doesn't have an API endpoint to generate new tokens so we can rotate credentials - this allows for the use a Github App that rotates an application installation token every hour
  3. Github source branch plugin was using GithubAppCredentials but required a Jenkinsfile and the creation of an organization to do so, this keeps all the same functionality of the original GHPRB with the added option of using the GithubAppCredential class and connection from github source branch plugin

**
Right now on "mvn install" this fails with spotbugs plugin but packages fine with "mvn package"
Failure starts with:

[INFO] --- spotbugs-maven-plugin:4.2.2:check (spotbugs) @ ghprb ---
[INFO] BugInstance size is 16
[INFO] Error size is 0
[INFO] Total bugs: 16

It was also failing on 2 unit tests originally bc my changes broke what the test was expecting but can't replicate that presently, so I'll leave the tests as long as those don't show up again.

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue (no new tests provided but we've been using this in production for over a year now)

@cdoughty-r7 cdoughty-r7 mentioned this pull request May 17, 2022
Open
@altonotch
Copy link

What needs to happen for this to be merged?
Seeing as GitHub started enforcing MFA for all users, their guideline for bots is to be a GitHub app, and adding this support became critical, at least for us.
I'm not familiar with Java development, if someone can help onboard me into the process, I'll be happy to help with the plugin maintenance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cdoughty-r7 @altonotch @ataylor-r7