This should allow us to slowly but surely rotate credentials and set up the new integration with new credentials. https://github.com/taskcluster/taskcluster-github/blob/master/src/api.js#L124-L138 is where the webhook secret is currently being verified. I think a nice way to go might be to make cfg.webhook.secret a comma-separated list of secrets and we try to verify against all of them. If any succeed, we accept it the hook!
The config is loaded with https://github.com/taskcluster/typed-env-config so you can use !env:list WEBHOOK_SECRETS to load that list and handle splitting on commas.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.