jenkins: automate notifyCommit token

2026-01-20 11:54:15 -03:00 · 2026-01-20 11:54:15 -03:00 · f5eec19e11
commit f5eec19e11
parent b54da8e3e0
4 changed files with 44 additions and 2 deletions
--- a/services/jenkins/deployment.yaml
+++ b/services/jenkins/deployment.yaml
@ -40,8 +40,9 @@ spec:
          {{ end }}
          {{ with secret "kv/data/atlas/jenkins/webhook-tokens" }}
          TITAN_IAC_WEBHOOK_TOKEN={{ .Data.data.titan_iac_quality_gate }}
+          GIT_NOTIFY_TOKEN_BSTEIN_DEV_HOME={{ .Data.data.git_notify_bstein_dev_home }}
          {{ end }}
-        bstein.dev/restarted-at: "2026-01-20T14:35:00Z"
+        bstein.dev/restarted-at: "2026-01-20T14:52:41Z"
    spec:
      serviceAccountName: jenkins
      nodeSelector:
--- a/services/jenkins/kustomization.yaml
+++ b/services/jenkins/kustomization.yaml
@ -16,6 +16,7 @@ configMapGenerator:
  - name: jenkins-init-scripts
    namespace: jenkins
    files:
+      - git-notify-token.groovy=scripts/git-notify-token.groovy
      - theme.groovy=scripts/theme.groovy
    options:
      disableNameSuffixHash: true
--- a/services/jenkins/scripts/git-notify-token.groovy
+++ b/services/jenkins/scripts/git-notify-token.groovy
@ -0,0 +1,41 @@
+import hudson.plugins.git.ApiTokenPropertyConfiguration
+import hudson.Util
+import java.nio.charset.StandardCharsets
+import java.security.MessageDigest
+
+
+def entries = [
+  [env: 'GIT_NOTIFY_TOKEN_BSTEIN_DEV_HOME', name: 'gitea-bstein-dev-home'],
+]
+
+entries.each { entry ->
+  def token = System.getenv(entry.env)
+  if (!token || token.trim().isEmpty()) {
+    println("Git notifyCommit token ${entry.env} missing; skipping")
+    return
+  }
+
+  try {
+    def config = ApiTokenPropertyConfiguration.get()
+    if (config.hasMatchingApiToken(token)) {
+      println("Git notifyCommit token ${entry.name} already configured")
+      return
+    }
+
+    def digest = MessageDigest.getInstance("SHA-256")
+    def hash = Util.toHexString(digest.digest(token.getBytes(StandardCharsets.US_ASCII)))
+
+    def field = ApiTokenPropertyConfiguration.class.getDeclaredField("apiTokens")
+    field.setAccessible(true)
+    def tokens = field.get(config)
+
+    def ctor = ApiTokenPropertyConfiguration.HashedApiToken.class.getDeclaredConstructor(String.class, String.class)
+    ctor.setAccessible(true)
+    tokens.add(ctor.newInstance(entry.name, hash))
+    config.save()
+
+    println("Added git notifyCommit access token ${entry.name}")
+  } catch (Throwable e) {
+    println("Failed to configure git notifyCommit token ${entry.name}: ${e.class.simpleName}: ${e.message}")
+  }
+}
--- a/services/jenkins/scripts/theme.groovy
+++ b/services/jenkins/scripts/theme.groovy
@ -8,7 +8,6 @@ if (decorators?.size() > 0) {
  def theme = decorators[0]
  theme.setCssUrl("https://jenkins-contrib-themes.github.io/jenkins-material-theme/dist/material-ocean.css")
  theme.setJsUrl("")
-  theme.setTheme("")
  instance.save()
  println("Applied simple-theme-plugin dark theme")
 } else {