134 lines
4.8 KiB
Diff
134 lines
4.8 KiB
Diff
|
From 788a484aa700b1541600333ab6bbc08653a4edd1 Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
|
||
|
|
Date: Sat, 13 Jul 2024 10:52:49 +0200
|
||
|
|
Subject: [PATCH] master/reporters/github: render token for each request
|
||
|
|
MIME-Version: 1.0
|
||
|
|
Content-Type: text/plain; charset=UTF-8
|
||
|
|
Content-Transfer-Encoding: 8bit
|
||
|
|
|
||
|
|
Github token can expire i.e. if an GitHub apps are used
|
||
|
|
the token needs to be renewed every hour from the installation token.
|
||
|
|
By moving the renderSecrets just when the requests happens,
|
||
|
|
we provide an interface for users to provide a new refresh GITHUB_TOKEN
|
||
|
|
|
||
|
|
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
|
||
|
|
---
|
||
|
|
master/buildbot/reporters/github.py | 28 +++++++++++++++----
|
||
|
|
.../github-reporter-secret-handling.change | 3 ++
|
||
|
|
2 files changed, 26 insertions(+), 5 deletions(-)
|
||
|
|
create mode 100644 newsfragments/github-reporter-secret-handling.change
|
||
|
|
|
||
|
|
diff --git a/master/buildbot/reporters/github.py b/master/buildbot/reporters/github.py
|
||
|
|
index 3873c2676..27242831f 100644
|
||
|
|
--- a/master/buildbot/reporters/github.py
|
||
|
|
+++ b/master/buildbot/reporters/github.py
|
||
|
|
@@ -70,7 +70,7 @@ def reconfigService(
|
||
|
|
generators=None,
|
||
|
|
**kwargs,
|
||
|
|
):
|
||
|
|
- token = yield self.renderSecrets(token)
|
||
|
|
+ self.token = token
|
||
|
|
self.debug = debug
|
||
|
|
self.verify = verify
|
||
|
|
self.verbose = verbose
|
||
|
|
@@ -89,7 +89,7 @@ def reconfigService(
|
||
|
|
self._http = yield httpclientservice.HTTPClientService.getService(
|
||
|
|
self.master,
|
||
|
|
baseURL,
|
||
|
|
- headers={'Authorization': 'token ' + token, 'User-Agent': 'Buildbot'},
|
||
|
|
+ headers={'User-Agent': 'Buildbot'},
|
||
|
|
debug=self.debug,
|
||
|
|
verify=self.verify,
|
||
|
|
)
|
||
|
|
@@ -109,6 +109,15 @@ def _create_default_generators(self):
|
||
|
|
),
|
||
|
|
]
|
||
|
|
|
||
|
|
+ @defer.inlineCallbacks
|
||
|
|
+ def _get_auth_header(self, props: Properties | None) -> dict[str, str]:
|
||
|
|
+ if props:
|
||
|
|
+ token = yield props.render(self.token)
|
||
|
|
+ else:
|
||
|
|
+ token = yield self.renderSecrets(self.token)
|
||
|
|
+ return {'Authorization': f"token {token}"}
|
||
|
|
+
|
||
|
|
+ @defer.inlineCallbacks
|
||
|
|
def createStatus(
|
||
|
|
self,
|
||
|
|
repo_user,
|
||
|
|
@@ -119,6 +128,7 @@ def createStatus(
|
||
|
|
context=None,
|
||
|
|
issue=None,
|
||
|
|
description=None,
|
||
|
|
+ props=None,
|
||
|
|
):
|
||
|
|
"""
|
||
|
|
:param repo_user: GitHub user or organization
|
||
|
|
@@ -137,6 +147,7 @@ def createStatus(
|
||
|
|
"""
|
||
|
|
payload = {'state': state}
|
||
|
|
|
||
|
|
+
|
||
|
|
if description is not None:
|
||
|
|
payload['description'] = description
|
||
|
|
|
||
|
|
@@ -146,9 +157,11 @@ def createStatus(
|
||
|
|
if context is not None:
|
||
|
|
payload['context'] = context
|
||
|
|
|
||
|
|
- return self._http.post(
|
||
|
|
- '/'.join(['/repos', repo_user, repo_name, 'statuses', sha]), json=payload
|
||
|
|
+ headers = yield self._get_auth_header(props)
|
||
|
|
+ ret = yield self._http.post(
|
||
|
|
+ '/'.join(['/repos', repo_user, repo_name, 'statuses', sha]), json=payload, headers=headers
|
||
|
|
)
|
||
|
|
+ return ret
|
||
|
|
|
||
|
|
def is_status_2xx(self, code):
|
||
|
|
return code // 100 == 2
|
||
|
|
@@ -241,6 +254,7 @@ def sendMessage(self, reports):
|
||
|
|
context=context,
|
||
|
|
issue=issue,
|
||
|
|
description=description,
|
||
|
|
+ props=props,
|
||
|
|
)
|
||
|
|
|
||
|
|
if not response:
|
||
|
|
@@ -305,6 +319,7 @@ def createStatus(
|
||
|
|
context=None,
|
||
|
|
issue=None,
|
||
|
|
description=None,
|
||
|
|
+ props=None,
|
||
|
|
):
|
||
|
|
"""
|
||
|
|
:param repo_user: GitHub user or organization
|
||
|
|
@@ -313,6 +328,8 @@ def createStatus(
|
||
|
|
:param state: one of the following 'pending', 'success', 'error'
|
||
|
|
or 'failure'.
|
||
|
|
:param description: Short description of the status.
|
||
|
|
+ :param context: Build context
|
||
|
|
+ :param props: Properties object of the build (used for render GITHUB_TOKEN secret)
|
||
|
|
:return: A deferred with the result from GitHub.
|
||
|
|
|
||
|
|
This code comes from txgithub by @tomprince.
|
||
|
|
@@ -328,5 +345,6 @@ def createStatus(
|
||
|
|
return None
|
||
|
|
|
||
|
|
url = '/'.join(['/repos', repo_user, repo_name, 'issues', issue, 'comments'])
|
||
|
|
- ret = yield self._http.post(url, json=payload)
|
||
|
|
+ headers = yield self._get_auth_header(props)
|
||
|
|
+ ret = yield self._http.post(url, json=payload, headers=headers)
|
||
|
|
return ret
|
||
|
|
diff --git a/newsfragments/github-reporter-secret-handling.change b/newsfragments/github-reporter-secret-handling.change
|
||
|
|
new file mode 100644
|
||
|
|
index 000000000..a1ebd5408
|
||
|
|
--- /dev/null
|
||
|
|
+++ b/newsfragments/github-reporter-secret-handling.change
|
||
|
|
@@ -0,0 +1,3 @@
|
||
|
|
+GitHubStatusPush will now render github tokens right before the request.
|
||
|
|
+This allow to update the token in the configuration file without restarting the server,
|
||
|
|
+which is in example useful for Githuhb App installations.
|
||
|
|
--
|
||
|
|
2.45.1
|
||
|
|
|