OCPERT-368: Replace GitHub token with Github app for Jira Notificator

[tomasdavidorg]

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED

https://redhat.atlassian.net/browse/OCPERT-368

[openshift-ci-robot]

@tomasdavidorg: This pull request references OCPERT-368 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED

https://redhat.atlassian.net/browse/OCPERT-368

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tomasdavidorg

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/release-qe-tests/jira-notificator/OWNERS [tomasdavidorg]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

This PR updates the jira-notificator step script to provision GitHub App reader credentials from Vault instead of a GitHub token. The credential swap removes GITHUB_TOKEN export and adds GITHUB_APP_READER_ID and GITHUB_APP_READER_PRIVATE_KEY environment variables for the notifier command.

Changes

GitHub App Reader Credential Migration

Layer / File(s)	Summary
Jira notificator GitHub App reader credentials ci-operator/step-registry/release-qe-tests/jira-notificator/release-qe-tests-jira-notificator-commands.sh	Vault credential provisioning switches from GitHub token to GitHub App reader credentials. The script now reads github_app_reader_id and github_app_reader_private_key from Vault and exports them as GITHUB_APP_READER_ID and GITHUB_APP_READER_PRIVATE_KEY for the subsequent oarctl jira-notificator invocation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Script exports sensitive credentials (JIRA token, GitHub App ID, private key, username) without disabling xtrace, causing potential credential exposure in logs when tracing is enabled in CI/CD.	Wrap sensitive credential reads/exports with xtrace disable/restore (set +x before, set -x after) and read private key file content instead of exporting the path.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: replacing GitHub token authentication with GitHub App authentication for the Jira Notificator component.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only a shell script for Jira notificator credentials. No Ginkgo test files or Go test code is touched; the check is not applicable.
Test Structure And Quality	✅ Passed	The PR modifies only a shell script file that reads Vault credentials and executes a command. No Ginkgo test files are present or modified, so the test quality check does not apply.
Microshift Test Compatibility	✅ Passed	PR does not add any Ginkgo e2e tests. It only modifies a CI credential management shell script, so MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The changes only modify a bash CI script and configuration files for the Jira Notificator step.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies a CI/CD credential script, not deployment manifests or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check is for Go/Ginkgo test binaries. The PR modifies only a bash CI step script, not an OTE test binary, making the check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add Ginkgo e2e tests. It only modifies a CI operator shell script for credential configuration, so the IPv6/disconnected network check does not apply.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns found. The script contains no MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB usage, custom crypto implementations, or non-constant-time comparisons.
Container-Privileges	✅ Passed	No privileged container configurations detected. The YAML manifest contains no privileged flags, elevated capabilities, or host access settings. Script contains no privilege escalation.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@tomasdavidorg: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-release-tests-main-jira-notificator	N/A	periodic	Registry content changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/release-qe-tests/jira-notificator/release-qe-tests-jira-notificator-commands.sh`:
- Around line 8-9: The script currently sets github_app_reader_private_key to a
file path and exports GITHUB_APP_READER_PRIVATE_KEY with that path string;
instead read the actual private key contents from the file and export that
content. Replace the path-assignment/export pattern so that the variable
github_app_reader_private_key is used to read the file contents (preserving
newlines and avoiding word-splitting) and then export
GITHUB_APP_READER_PRIVATE_KEY with the file's content (not the path); ensure you
handle missing file errors and quoting when assigning in the script where
GITHUB_APP_READER_PRIVATE_KEY and github_app_reader_private_key are referenced.
- Around line 6-9: The secret reads/exports for
github_app_reader_id/GITHUB_APP_READER_ID and
github_app_reader_private_key/GITHUB_APP_READER_PRIVATE_KEY must be wrapped in a
saved-and-restored xtrace block: capture the current xtrace state (e.g., save
$(set +x; echo $-)), disable tracing with set +x, perform the cat/read and
export operations for the two variables, and then restore the original xtrace
state so tracing is returned to its prior setting; apply this around the code
that assigns github_app_reader_id, GITHUB_APP_READER_ID,
github_app_reader_private_key and GITHUB_APP_READER_PRIVATE_KEY.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 26ca1941-e75b-4e04-8c1a-6484ddceafb1

📥 Commits

Reviewing files that changed from the base of the PR and between 5420dee and 3da54d6.

📒 Files selected for processing (1)

• ci-operator/step-registry/release-qe-tests/jira-notificator/release-qe-tests-jira-notificator-commands.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Guard sensitive reads/exports with xtrace disable + restore.

This script handles Vault-backed secrets, but Line 6-9 do not save/restore xtrace state and force set +x during secret handling. Please wrap the sensitive block accordingly.

Suggested hardening

+had_xtrace=0
+case "$-" in
+  *x*) had_xtrace=1; set +x ;;
+esac
+
 github_app_reader_id=$(cat "/var/run/vault/release-tests-token/github_app_reader_id")
-export GITHUB_APP_READER_ID=$github_app_reader_id
-github_app_reader_private_key="/var/run/vault/release-tests-token/github_app_reader_private_key"
-export GITHUB_APP_READER_PRIVATE_KEY=$github_app_reader_private_key
+export GITHUB_APP_READER_ID="$github_app_reader_id"
+github_app_reader_private_key=$(cat "/var/run/vault/release-tests-token/github_app_reader_private_key")
+export GITHUB_APP_READER_PRIVATE_KEY="$github_app_reader_private_key"
+
+if [[ $had_xtrace -eq 1 ]]; then
+  set -x
+fi

As per coding guidelines, "In step registry scripts handling sensitive data, temporarily disable tracing with set +x and save/restore previous tracing state to prevent credential leakage in logs."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/release-qe-tests/jira-notificator/release-qe-tests-jira-notificator-commands.sh`
around lines 6 - 9, The secret reads/exports for
github_app_reader_id/GITHUB_APP_READER_ID and
github_app_reader_private_key/GITHUB_APP_READER_PRIVATE_KEY must be wrapped in a
saved-and-restored xtrace block: capture the current xtrace state (e.g., save
$(set +x; echo $-)), disable tracing with set +x, perform the cat/read and
export operations for the two variables, and then restore the original xtrace
state so tracing is returned to its prior setting; apply this around the code
that assigns github_app_reader_id, GITHUB_APP_READER_ID,
github_app_reader_private_key and GITHUB_APP_READER_PRIVATE_KEY.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

GITHUB_APP_READER_PRIVATE_KEY is exporting a file path, not the private key value.

Line 8 assigns the path string, while the PR objective says this credential should be read from Vault and exported. This can break auth if oarctl jira-notificator expects actual key content in GITHUB_APP_READER_PRIVATE_KEY.

Suggested fix

-github_app_reader_private_key="/var/run/vault/release-tests-token/github_app_reader_private_key"
-export GITHUB_APP_READER_PRIVATE_KEY=$github_app_reader_private_key
+github_app_reader_private_key=$(cat "/var/run/vault/release-tests-token/github_app_reader_private_key")
+export GITHUB_APP_READER_PRIVATE_KEY="$github_app_reader_private_key"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/release-qe-tests/jira-notificator/release-qe-tests-jira-notificator-commands.sh`
around lines 8 - 9, The script currently sets github_app_reader_private_key to a
file path and exports GITHUB_APP_READER_PRIVATE_KEY with that path string;
instead read the actual private key contents from the file and export that
content. Replace the path-assignment/export pattern so that the variable
github_app_reader_private_key is used to read the file contents (preserving
newlines and avoiding word-splitting) and then export
GITHUB_APP_READER_PRIVATE_KEY with the file's content (not the path); ensure you
handle missing file errors and quoting when assigning in the script where
GITHUB_APP_READER_PRIVATE_KEY and github_app_reader_private_key are referenced.

[openshift-ci]

@tomasdavidorg: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[tomasdavidorg]

Reopened in #79915