action #123661
closedUse non-personal or in-team tokens for openQA OBS CI integration size:M
Description
Motivation¶
coolo noticed that there are some obs packages that use his token for CI integration:
<entry id="12" string="L8QrNuC50kjUlZWQmD4+mMAYApbF9w2sgXOEHvdj" kind="service" description="" triggered_at="2023-01-23 16:23:23 UTC" project="devel:openQA" package="openQA"/>
<entry id="3046" string="THZ7YadHSbAa5Kwg5Jy4ud3w" kind="service" description="" triggered_at="2023-01-23 16:23:23 UTC" project="devel:openQA" package="openqa_dev"/>
<entry id="3055" string="pqpAr26bZQGTo2TwyPLJX5VV" kind="service" description="" triggered_at="2023-01-23 16:23:23 UTC" project="devel:openqa:ci" package="base"/>
<entry id="3058" string="nSiTjKwRQzWn3umDvBx8C4Vc" kind="service" description="" triggered_at="2023-01-23 16:23:22 UTC" project="devel:openqa:ci" package="dependency_bot"/>
We should switch to non-personal or in-team tokens like we already do with os-autoinst using a token and account from okurz. It might be desired to use a person in changelogs, not a bot-account.
Acceptance criteria¶
- AC1: no token owned by coolo is used
Suggestions¶
- Replace the above tokens with non-personal or in-team tokens
- Either use okurz same as for os-autoinst or research if a non-personal account is ok with a team mailing list and potentially create new team mailing list and use that account and create token in there
- Follow https://openbuildservice.org/help/manuals/obs-user-guide/cha.obs.authorization.token.html
Updated by okurz over 2 years ago
- Subject changed from [epic] Use non-personal or in-team tokens for openQA OBS CI integration to Use non-personal or in-team tokens for openQA OBS CI integration size:M
- Description updated (diff)
- Status changed from New to Workable
Updated by mkittler over 2 years ago
The linked documentation explains how to create a token. However, what places would I need to update to use the newly generated token? Some of the webkooks under https://github.com/os-autoinst/openQA/settings/hooks?
I have also recently changed the key of the obs-workflow GitHub user (see https://gitlab.suse.de/openqa/password/-/merge_requests/5) and also don't know which places need updating now.
Updated by okurz over 2 years ago
I did osc token --create devel:openQA openQA which created token id 6964. I updated in https://github.com/os-autoinst/openQA/settings/hooks/58885945 and now we can await if the openQA package uses that.
Updated by okurz over 2 years ago
- Due date set to 2023-02-10
- Status changed from Workable to Feedback
- Assignee set to okurz
I then did osc token --create devel:openQA openqa_dev creating id 6967. osc token --create devel:openqa:ci base showed me error 404. I need to mind the casing. osc token --create devel:openQA:ci base creating id 6970 and osc token --create devel:openQA:ci dependency_bot creating id 6973 so we don't need any of coolo's tokens anymore.
Updated by okurz over 2 years ago
- Related to action #123867: [sporadic][ci] circleCI job "build-docs-nightly" failed added
Updated by okurz over 2 years ago
- Due date deleted (
2023-02-10) - Status changed from Feedback to Resolved
#123867 turned out to be not related. I assume we are good.