feat: use bot token to create org hook

heurtematte · heurtematte · commit c527985d4c9b · 2023-09-14T14:49:41.000+02:00
Signed-off-by: sebastien.heurtematte &lt;sebastien.heurtematte@eclipse-foundation.org&gt;
diff --git a/github/create_webhook.sh b/github/create_webhook.sh
@@ -14,10 +14,14 @@ set -o nounset
 set -o pipefail
 
 IFS=$'\n\t'
-SCRIPT_FOLDER="$(dirname "$(readlink -f "${0}")")"
-CI_ADMIN_ROOT="${SCRIPT_FOLDER}/.."
+set -x
+
+SCRIPT_FOLDER="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
+#shellcheck disable=SC1091
+source "${SCRIPT_FOLDER}/../pass/pass_wrapper.sh"
+
+GITHUB_PASS_DOMAIN="github.com"
 
-TOKEN="$("${CI_ADMIN_ROOT}/utils/local_config.sh" "get_var" "access_token" "github")"
 #shellcheck disable=SC2089
 EVENTS='["push","pull_request"]'
 
@@ -47,13 +51,16 @@ org() {
     exit 1
   fi
 
+  local pw_store_path="bots/${project_name}/${GITHUB_PASS_DOMAIN}"
+  local bot_token=$(passw cbi "${pw_store_path}/api-token")
+
   echo "Creating organization webhook..."
 
   local response
   response="$(curl -sS\
     -X POST \
     -H "Accept: application/vnd.github+json" \
-    -H "Authorization: Bearer ${TOKEN}"\
+    -H "Authorization: Bearer ${bot_token}"\
     -H "X-GitHub-Api-Version: 2022-11-28" \
     "https://api.github.com/orgs/${org}/hooks" \
     -d '{"name":"web","active":true,"events":'${EVENTS}',"config":{"url":"'${webhook_url}'","content_type":"json"}}')"
@@ -62,6 +69,7 @@ org() {
     echo "ERROR:"
     printf " Message: %s\n" "$(echo "${response}" | jq '.message')"
     printf " Errors/Message: %s\n" "$(echo "${response}" | jq '.errors[].message')"
+    exit 1
   fi
 }
 
@@ -71,6 +79,7 @@ repo() {
   local short_name="${project_name##*.}"
   local webhook_url="https://ci.eclipse.org/${short_name}/github-webhook/"
 
+
   # check that project name is not empty
   if [[ -z "${project_name}" ]]; then
     printf "ERROR: a project name must be given.\n"
@@ -83,13 +92,16 @@ repo() {
     exit 1
   fi
 
+  local pw_store_path="bots/${project_name}/${GITHUB_PASS_DOMAIN}"
+  local bot_token=$(passw cbi "${pw_store_path}/api-token")
+
   echo "Creating repo webhook..."
 
   local response
   response="$(curl -sS\
     -X POST \
     -H "Accept: application/vnd.github+json" \
-    -H "Authorization: Bearer ${TOKEN}"\
+    -H "Authorization: Bearer ${bot_token}"\
     -H "X-GitHub-Api-Version: 2022-11-28" \
     "https://api.github.com/repos/${repo}/hooks" \
     -d '{"name":"web","active":true,"events":'${EVENTS}',"config":{"url":"'${webhook_url}'","content_type":"json"}}')"
diff --git a/github/setup_github_bot.sh b/github/setup_github_bot.sh
@@ -59,7 +59,7 @@ set_up_github_account() {
   * API token
     * Name:       Jenkins GitHub Plugin token https://ci.eclipse.org/${SHORT_NAME}
     * Expiration: No expiration
-    * Scopes:     repo:status, public_repo, admin:repo_hook
+    * Scopes:     repo:status, public_repo, admin:repo_hook, admin:org_hook
   * Add token to pass (api-token)
 * Add GitHub bot to project’s GitHub org (invite via webmaster account)
 EOF
