Skip to content

OCPERT-368: Replace GitHub token with Github app for Jira Notificator #79905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
tomasdavidorg wants to merge 1 commit into from
Closed

OCPERT-368: Replace GitHub token with Github app for Jira Notificator #79905

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions ...-registry/release-qe-tests/jira-notificator/release-qe-tests-jira-notificator-commands.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ jira_username=$(cat "/var/run/vault/release-tests-token/jira_username")
export JIRA_USERNAME=$jira_username
jira_token=$(cat "/var/run/vault/release-tests-token/jira_token")
export JIRA_TOKEN=$jira_token
github_token=$(cat "/var/run/vault/release-tests-token/github_token")
export GITHUB_TOKEN=$github_token
github_app_reader_id=$(cat "/var/run/vault/release-tests-token/github_app_reader_id")
export GITHUB_APP_READER_ID=$github_app_reader_id
github_app_reader_private_key="/var/run/vault/release-tests-token/github_app_reader_private_key"
export GITHUB_APP_READER_PRIVATE_KEY=$github_app_reader_private_key
Comment on lines +6 to +9

@coderabbitai coderabbitai Bot Jun 1, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard sensitive reads/exports with xtrace disable + restore.

This script handles Vault-backed secrets, but Line 6-9 do not save/restore xtrace state and force set +x during secret handling. Please wrap the sensitive block accordingly.

Suggested hardening 
+had_xtrace=0
+case "$-" in
+  *x*) had_xtrace=1; set +x ;;
+esac
+
 github_app_reader_id=$(cat "/var/run/vault/release-tests-token/github_app_reader_id")
-export GITHUB_APP_READER_ID=$github_app_reader_id
-github_app_reader_private_key="/var/run/vault/release-tests-token/github_app_reader_private_key"
-export GITHUB_APP_READER_PRIVATE_KEY=$github_app_reader_private_key
+export GITHUB_APP_READER_ID="$github_app_reader_id"
+github_app_reader_private_key=$(cat "/var/run/vault/release-tests-token/github_app_reader_private_key")
+export GITHUB_APP_READER_PRIVATE_KEY="$github_app_reader_private_key"
+
+if [[ $had_xtrace -eq 1 ]]; then
+  set -x
+fi

As per coding guidelines, "In step registry scripts handling sensitive data, temporarily disable tracing with set +x and save/restore previous tracing state to prevent credential leakage in logs."

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/release-qe-tests/jira-notificator/release-qe-tests-jira-notificator-commands.sh`
around lines 6 - 9, The secret reads/exports for
github_app_reader_id/GITHUB_APP_READER_ID and
github_app_reader_private_key/GITHUB_APP_READER_PRIVATE_KEY must be wrapped in a
saved-and-restored xtrace block: capture the current xtrace state (e.g., save
$(set +x; echo $-)), disable tracing with set +x, perform the cat/read and
export operations for the two variables, and then restore the original xtrace
state so tracing is returned to its prior setting; apply this around the code
that assigns github_app_reader_id, GITHUB_APP_READER_ID,
github_app_reader_private_key and GITHUB_APP_READER_PRIVATE_KEY.

Comment on lines +8 to +9

@coderabbitai coderabbitai Bot Jun 1, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

GITHUB_APP_READER_PRIVATE_KEY is exporting a file path, not the private key value.

Line 8 assigns the path string, while the PR objective says this credential should be read from Vault and exported. This can break auth if oarctl jira-notificator expects actual key content in GITHUB_APP_READER_PRIVATE_KEY.

Suggested fix 
-github_app_reader_private_key="/var/run/vault/release-tests-token/github_app_reader_private_key"
-export GITHUB_APP_READER_PRIVATE_KEY=$github_app_reader_private_key
+github_app_reader_private_key=$(cat "/var/run/vault/release-tests-token/github_app_reader_private_key")
+export GITHUB_APP_READER_PRIVATE_KEY="$github_app_reader_private_key"
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/release-qe-tests/jira-notificator/release-qe-tests-jira-notificator-commands.sh`
around lines 8 - 9, The script currently sets github_app_reader_private_key to a
file path and exports GITHUB_APP_READER_PRIVATE_KEY with that path string;
instead read the actual private key contents from the file and export that
content. Replace the path-assignment/export pattern so that the variable
github_app_reader_private_key is used to read the file contents (preserving
newlines and avoiding word-splitting) and then export
GITHUB_APP_READER_PRIVATE_KEY with the file's content (not the path); ensure you
handle missing file errors and quoting when assigning in the script where
GITHUB_APP_READER_PRIVATE_KEY and github_app_reader_private_key are referenced.

oarctl jira-notificator