Closed Bug 1323025 Opened 8 years ago Closed 7 years ago

Allow tc-gh to have multiple webhook secrets

Categories

(Taskcluster :: Services, defect)

Product:
Taskcluster
Component:
Services
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bstack, Assigned: owlish)

Details

This should allow us to slowly but surely rotate credentials and set up the new integration with new credentials.

https://github.com/taskcluster/taskcluster-github/blob/master/src/api.js#L124-L138 is where the webhook secret is currently being verified. I think a nice way to go might be to make cfg.webhook.secret a comma-separated list of secrets and we try to verify against all of them. If any succeed, we accept it the hook!
The config is loaded with https://github.com/taskcluster/typed-env-config so you can use !env:list WEBHOOK_SECRETS to load that list and handle splitting on commas.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Component: Github → Services
You need to log in before you can comment on or make changes to this bug.