Allow tc-gh to have multiple webhook secrets

RESOLVED FIXED

Status

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: bstack, Assigned: owlish)

Tracking

Details

(Reporter)

Description

2 years ago
This should allow us to slowly but surely rotate credentials and set up the new integration with new credentials.

https://github.com/taskcluster/taskcluster-github/blob/master/src/api.js#L124-L138 is where the webhook secret is currently being verified. I think a nice way to go might be to make cfg.webhook.secret a comma-separated list of secrets and we try to verify against all of them. If any succeed, we accept it the hook!
The config is loaded with https://github.com/taskcluster/typed-env-config so you can use !env:list WEBHOOK_SECRETS to load that list and handle splitting on commas.
(Assignee)

Updated

2 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.