Skip to content

fix(ISV-7456): Update GH token for daily support summary#989

Closed
JakubDurkac wants to merge 1 commit into
mainfrom
ISV-7456
Closed

fix(ISV-7456): Update GH token for daily support summary#989
JakubDurkac wants to merge 1 commit into
mainfrom
ISV-7456

Conversation

@JakubDurkac

Copy link
Copy Markdown
Contributor

Old token was revoked recently and daily support summary fails on github authentication and fails to post updates on slack. Therefore, updating the github token there also.

Merge Request Checklists

  • Development is done in feature branches
  • Code changes are submitted as pull request into a primary branch [Provide reason for non-primary branch submissions]
  • Code changes are covered with unit and integration tests.
  • Code passes all automated code tests:
    • Linting
    • Code formatter - Black
    • Security scanners
    • Unit tests
    • Integration tests
  • Code is reviewed by at least 1 team member
  • Pull request is tagged with "risk/good-to-go" label for minor changes

@qodo-redhat-openshift-ecosystem

Copy link
Copy Markdown

PR Summary by Qodo

Fix daily support summary GitHub auth by rotating revoked token (stage/prod)

🐞 Bug fix ⚙️ Configuration changes 🕐 10-20 Minutes

Grey Divider

AI Description

• Rotate the GitHub token used by the daily support summary to restore GitHub authentication.
• Update encrypted Ansible Vault secrets for both stage and production OCP clusters.
Diagram

graph TD
  A["Ansible Vault secrets (stage/prod)"] --> B["OCP cluster config"] --> C["Daily support summary job"] --> D{{"GitHub API"}}
  C --> E{{"Slack"}}
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Use a GitHub App instead of a PAT
  • ➕ App installation tokens are short-lived and can be rotated automatically
  • ➕ More granular permissions and better auditability than long-lived PATs
  • ➖ Requires GitHub App creation/configuration and changes to how the job authenticates
2. Externalize secrets to a centralized secret manager
  • ➕ Avoids embedding/duplicating sensitive tokens in repo-encrypted vault files
  • ➕ Enables rotation workflows and access policies per environment
  • ➖ Additional infrastructure/integration work (e.g., ExternalSecrets/ESO + backend)
3. Automate PAT rotation and rollout
  • ➕ Keeps current authentication model but reduces manual maintenance
  • ➕ Can proactively detect expiry/revocation and re-deploy secrets
  • ➖ Still relies on long-lived PATs; added pipeline complexity

Recommendation: For an urgent restore, rotating the vaulted token (current PR) is the fastest and lowest-risk change. If this token has rotated more than once, consider migrating to a GitHub App or centralized secret management to eliminate repeated manual secret updates and reduce outage risk.

Files changed (2) +26 / -26

Other (2) +26 / -26
secret-vars.ymlRotate production vaulted GitHub token for daily support summary +13/-13

Rotate production vaulted GitHub token for daily support summary

• Updates the encrypted Ansible Vault payload in prod secret variables, reflecting a rotated GitHub authentication token. Intended to restore GitHub API access for the daily support summary workflow.

ansible/vaults/config-ocp-cluster/prod/secret-vars.yml

secret-vars.ymlRotate stage vaulted GitHub token for daily support summary +13/-13

Rotate stage vaulted GitHub token for daily support summary

• Updates the encrypted Ansible Vault payload in stage secret variables to match the new GitHub authentication token. Keeps stage aligned with production for the daily support summary job.

ansible/vaults/config-ocp-cluster/stage/secret-vars.yml

@qodo-redhat-openshift-ecosystem

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Grey Divider

Qodo Logo

@JakubDurkac JakubDurkac requested a review from kosciCZ July 10, 2026 13:02

@kosciCZ kosciCZ left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@JakubDurkac

Copy link
Copy Markdown
Contributor Author

PR for this already exists, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants