GitHub app auth

.gitignore

@@ -94,3 +94,5 @@ typings/
 
 # End of https://www.gitignore.io/api/node
 xunit.xml
+
+github-app.pem

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:14
+FROM node:16
 
 ENV NODE_ENV production
 ENV PORT 3000

IncrementalsPlugin.js

@@ -223,11 +223,7 @@ class IncrementalsPlugin {
     }
     this.context.log.info('Archive entries %o', entries);
 
-    const pom = entries.find(entry => entry.endsWith('.pom'));
-    if (!pom) {
-      this.context.log.error('No POM');
-      throw new FailRequestError('No POM');
-    }
+    const pom = entries[0].path;
     this.context.log.info('Found a POM %s', pom);
     const pomURL = config.INCREMENTAL_URL + pom;
     const check = await this.fetch(pomURL);
@@ -241,12 +237,19 @@ class IncrementalsPlugin {
      */
     const upload = await this.uploadToArtifactory(archivePath, pomURL);
 
-    const result = await this.github.createStatus(folderMetadataParsed.owner, folderMetadataParsed.repo, buildMetadataParsed.hash, pomURL.replace(/[^/]+$/, ''))
+    const entriesForDisplay = entries.map(entry => {
+      return {
+        artifactId: entry.artifactId,
+        url: config.INCREMENTAL_URL + entry.path.replace(/[^/]+$/, '')
+      };
+    })
+
+    const result = await this.github.createStatus(folderMetadataParsed.owner, folderMetadataParsed.repo, buildMetadataParsed.hash, entriesForDisplay)
       // ignore any actual errors, just log it
       .catch(err => err);
 
     if (result.status >= 300) {
-      this.context.log.error('Failed to create github status, code: %d for repo: %s/%s, check your GitHub credentials', result.status, folderMetadataParsed.owner, folderMetadataParsed.repo);
+      this.context.log.error('Failed to create github status, code: %d for repo: %s/%s, check your GitHub credentials, err: %s', result.status, folderMetadataParsed.owner, folderMetadataParsed.repo, result);
     } else {
       this.context.log.info('Created github status for pom: %s', pom);
     }

Jenkinsfile

@@ -16,10 +16,10 @@ if (JENKINS_URL.contains('ci.jenkins.io')) {
           checkout scm
         }
         stage('NPM Install') {
-          runDockerCommand('node:14',  'npm ci')
+          runDockerCommand('node:16',  'npm ci')
         }
         stage('Lint and Test') {
-          runDockerCommand('node:14',  'npm run test')
+          runDockerCommand('node:16',  'npm run test')
         }
       }
     }

README.adoc

@@ -1,7 +1,7 @@
 = Incremental Build Publisher
 
 
-This Azure Function is responsible for bouncing incrementally built (see
+This service is responsible for uploading incrementally built (see
 link:https://github.com/jenkinsci/jep/tree/master/jep/305[JEP-305]) core and
 plugin artifacts into the incrementals Maven repository (see
 link:https://github.com/jenkins-infra/iep/tree/master/iep-009[IEP-9]).
@@ -13,8 +13,14 @@ link:https://github.com/jenkins-infra/iep/tree/master/iep-009[IEP-9]).
 |===
 | Variable | Description
 
-| `GITHUB_TOKEN`
-| A GitHub OAuth/Personal Access Token which can be used for GitHub API queries, ideally also has access to set the `repo.status` permission.
+| `GITHUB_APP_ID`
+| The App ID for a GitHub app
+
+| `GITHUB_APP_PRIVATE_KEY`
+| The private key for a GitHub app
+
+| `GITHUB_APP_INSTALLATION_ID`
+| The installation ID for the organisation / user account that the GitHub app has been installed to
 
 | `JENKINS_HOST`
 | A Jenkins instance (defaults to `https://ci.jenkins.io/`) to which URLs are
@@ -57,7 +63,7 @@ defaults to
 
 == Valid Requests
 
-This Function only supports one kind of request, and is expected to only be
+This service only supports one kind of request, and is expected to only be
 called by the `buildPlugin()` step or other Jenkins Pipelines which are
 publishing incrementally built artifacts into Artifactory.
 
@@ -71,8 +77,6 @@ publishing incrementally built artifacts into Artifactory.
 This URL is expected to be the value of a `BUILD_URL` environment variable from
 Jenkins.
 
-
-
 == Testing
 
 Unit tests can simply be run by executing `make check` in this directory.
@@ -85,5 +89,5 @@ Function, for example:
 
 [source,bash]
 ----
-curl -i -d '{"build_url":"http://localhost:8080/job/dumb/3/"}' http://localhost:7071/api/incrementals-publisher
+curl -H "Authorization: Bearer ${PRESHARED_KEY}" -H 'Content-Type: application/json' -i -d '{"build_url":"https://ci.jenkins.io/job/Plugins/job/jenkins-infra-test-plugin/job/master/52/"}' http://localhost:3000
 ----

lib/config.js

@@ -1,6 +1,7 @@
 module.exports = {};
 Object.entries({
-  GITHUB_TOKEN: 'invalid-dummy-secret',
+  GITHUB_APP_ID: 'invalid-dummy-id',
+  GITHUB_APP_PRIVATE_KEY: 'invalid-dummy-secret',
   PERMISSIONS_URL: 'https://ci.jenkins.io/job/Infra/job/repository-permissions-updater/job/master/lastSuccessfulBuild/artifact/json/github.index.json',
   JENKINS_HOST: 'https://ci.jenkins.io/',
   INCREMENTAL_URL: 'https://repo.jenkins-ci.org/incrementals/',

lib/github.js

@@ -4,14 +4,28 @@
  */
 
 const { Octokit } = require("@octokit/rest");
+const { createAppAuth } = require('@octokit/auth-app');
+const { request } = require("@octokit/request");
 
-const GITHUB_TOKEN = process.env.GITHUB_TOKEN || 'invalid-dummy-secret';
+const APP_ID = process.env.GITHUB_APP_ID;
+const PRIVATE_KEY = process.env.GITHUB_APP_PRIVATE_KEY;
+
+const INSTALLATION_ID = process.env.GITHUB_APP_INSTALLATION_ID || 22187127
+
+async function getRestClient() {
+  return new Octokit({
+    authStrategy: createAppAuth,
+    auth: {
+      appId: APP_ID,
+      privateKey: PRIVATE_KEY,
+      installationId: INSTALLATION_ID
+    }
+  })
+}
 
 module.exports = {
   commitExists: async (owner, repo, ref) => {
-    let github = new Octokit({
-      auth: GITHUB_TOKEN
-    });
+    const github = await getRestClient();
     /*
     * Ensure that the commit is actually present in our repository! No sense
     * doing any work with it if it's somehow not published.
@@ -22,18 +36,20 @@ module.exports = {
     return !!commit;
   },
 
-  createStatus: async (owner, repo, sha, target_url) => {
-    let github = new Octokit({
-      auth: GITHUB_TOKEN
-    });
-    return github.repos.createCommitStatus({
+  createStatus: async (owner, repo, head_sha, entries) => {
+    const github = await getRestClient();
+    return github.rest.checks.create({
       owner,
       repo,
-      sha,
-      state: 'success',
-      target_url,
-      description: 'Deployed to Incrementals.',
-      context: 'continuous-integration/jenkins/incrementals'
+      name: 'Incrementals',
+      head_sha,
+      status: 'completed',
+      conclusion: 'success',
+      details_url: entries[0].url,
+      output: {
+        title: 'Deployed to Incrementals',
+        summary: entries.map(entry => `- [${entry.artifactId}](${entry.url})`).join('\n')
+      }
     });
   }
 };

lib/permissions.js

@@ -27,7 +27,6 @@ module.exports = {
       const zip = new StreamZip({file: archive});
 
       zip.on('entry', async function (entry) {
-        entries.push(entry.name);
         let ok = !!applicable.find(file => {
           const isMatch = wcmatch(file, { separator: '|' })
           return isMatch(entry.name) || entry.name.startsWith(file);
@@ -57,6 +56,10 @@ module.exports = {
             const groupId = result.project.groupId[0];
             const artifactId = result.project.artifactId[0];
             const version = result.project.version[0];
+            entries.push({
+              artifactId,
+              path: entry.name
+            });
             log.info(util.format('Parsed %s with url=%s tag=%s GAV=%s:%s:%s', entry.name, url, tag, groupId, artifactId, version));
             const expectedPath = groupId.replace(/[.]/g, '/') + '/' + artifactId + '/' + version + '/' + artifactId + '-' + version + '.pom';
             if (tag !== hash) {