Require Bitbucket DC bot token + username when BBDC auth enabled#732
Conversation
|
✅ Review complete. This review was performed through OpenHands Cloud Automation. You can log in and view the conversation here. |
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
🟡 Acceptable - The Replicated-side wiring is simple, but direct Helm installs still don't fail fast for the newly required Bitbucket Data Center bot identity.
[IMPROVEMENT OPPORTUNITIES]
- [charts/openhands/templates/_env.yaml, Line 204] Configuration Contract: The chart renders an empty username and still permits the bot token secret key to be absent, so Helm consumers can enable BBDC without the bot identity this PR says is required.
[RISK ASSESSMENT]
- [Overall PR]
⚠️ Risk Assessment: 🟡 MEDIUM
This changes authentication/integration configuration for Bitbucket Data Center. Replicated installs get stricter validation, but the direct Helm path can remain silently misconfigured unless the new required values are enforced and documented.
VERDICT:
❌ Needs follow-up: Please align the Helm chart path (fail fast for missing bitbucketDataCenter.botUsername/bot token and update the README secret example) or clarify that this requirement is Replicated-only.
KEY INSIGHT:
The data flow is correct for Replicated, but the chart's public contract still allows the invalid configuration the PR is trying to eliminate.
Improve this review? If any feedback above seems incorrect or irrelevant to this repository, you can teach the reviewer to do better:
- Add a
.agents/skills/custom-codereview-guide.mdfile to your branch (or edit it if one already exists) with the/codereviewtrigger and the context the reviewer is missing (e.g., "Security concerns about X do not apply here because Y"). See the customization docs for the required frontmatter format.- Re-request a review - the reviewer reads guidelines from the PR branch, so your changes take effect immediately.
- When your PR is merged, the guideline file goes through normal code review by repository maintainers.
Resolve with AI? Install the iterate skill in your agent and run
/iterateto automatically drive this PR through CI, review, and QA until it's merge-ready.Was this review helpful? React with 👍 or 👎 to give feedback.
This review was generated by an AI agent (OpenHands) on behalf of the user through OpenHands Automation. View conversation
| - name: BITBUCKET_DATA_CENTER_HOST | ||
| value: {{ .Values.bitbucketDataCenter.host }} | ||
| - name: BITBUCKET_DATA_CENTER_BOT_USERNAME | ||
| value: {{ .Values.bitbucketDataCenter.botUsername | quote }} |
There was a problem hiding this comment.
🟠 Important: This adds the env var, but direct Helm installs render it as an empty string when bitbucketDataCenter.enabled=true and bitbucketDataCenter.botUsername is unset. In the same chart path, BITBUCKET_DATA_CENTER_BOT_TOKEN is still sourced from an optional secret key, so the chart still permits exactly the bot-less BBDC configuration this PR is trying to forbid. Please fail fast here (for example, required "bitbucketDataCenter.botUsername is required when bitbucketDataCenter.enabled=true" .Values.bitbucketDataCenter.botUsername and make the bot-token secret key non-optional or add an explicit required value/schema path), and update charts/openhands/README.md's BBDC secret/values example to include both bot credentials.
Integration credentials (bot tokens/usernames, service-account emails/PATs) are enforced as required in replicated/config.yaml, not via Helm `required` in the chart -- consistent across all integrations (Jira DC, Bitbucket DC, ...). Records the convention so reviews don't flag KOTS-enforced-not-Helm-enforced wiring as a gap; tightening the bare-helm path is a deliberate chart-wide follow-up, out of scope for an integration-wiring PR.
|
Thanks for the careful read. I want to push back on the one improvement item, with parity evidence, rather than change it here — and I've documented the convention so it's clear going forward. The bot identity is enforced — at the KOTS layer, exactly like every other integrationWe do support bare-Kubernetes/Helm customers, so this isn't "raw Helm is unsupported." The point is that required integration credentials are enforced in
This is identical to how Jira DC already ships:
And in the chart, no integration uses Helm The bare-
|
|
✅ Review complete. This review was performed through OpenHands Cloud Automation. You can log in and view the conversation here. |
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
🟢 Good taste — Minimal, focused change that correctly wires a new required BBDC field through the full config-to-chart stack.
The previous review flagged that direct Helm installs don't fail-fast for the missing bot identity. This PR explicitly addresses that concern by updating .agents/skills/code-review.md with the architectural rationale: KOTS is the primary install path for every customer, and by established convention credentials are enforced at the KOTS layer (replicated/config.yaml with required: true) rather than via Helm's required function. The pattern is consistent across all integrations (Jira DC, Azure DevOps, etc.) — secrets use secretKeyRef … optional: true in the chart, non-secret values default to empty. The documentation update is a legitimate and accurate description of the system's deployment architecture.
The change itself is clean:
replicated/config.yaml: bot token upgraded from "strongly recommended" torequired: true; newbitbucket_data_center_bot_usernamefield added withrequired: trueand correcttype: text(notpassword).replicated/openhands.yaml: new config option wired tobitbucketDataCenter.botUsername._env.yaml:BITBUCKET_DATA_CENTER_BOT_USERNAMEemitted under the existingbitbucketDataCenter.enabledguard, using| quote(consistent with — and actually safer than — howBITBUCKET_DATA_CENTER_HOSTis rendered without the filter).values.yaml:botUsername: ""default follows the same pattern ashost: "".- Chart version bump is appropriate.
No breaking changes, no new dependencies, no security concerns. The fix addresses a real, confirmed customer problem (duplicate job triggers from bot's own comment replies).
[RISK ASSESSMENT]
- [Overall PR]
⚠️ Risk Assessment: 🟢 LOW
Config/infrastructure changes only. Making credentials required is a hardening change. All wiring follows the established pattern. The KOTS-layer enforcement is the correct mechanism for this deployment model.
VERDICT:
✅ Worth merging — Correct fix, clean implementation, well-documented architectural rationale.
KEY INSIGHT:
Enforcing required bot credentials at the KOTS config layer (not the Helm chart) is the right pattern for this deployment model — the .agents/skills update documents this convention so future reviewers don't re-raise the same concern.
This review was generated by an AI agent (OpenHands) on behalf of the user through OpenHands Automation. View conversation
- Drop redundant "(required)" from the bot token title; KOTS already marks required fields and the Jira DC fields use plain titles. - Reword the help text now the token is required: we post as the bot so its replies don't re-trigger, and instead of "do not sign in" give the real reason -- OpenHands ignores comments this bot authors, so use a dedicated account. - Revert the .agents/skills/code-review.md convention note now that the review has approved.
Drop the dedicated-account caveat from the help text; it will live in docs/ where there is room to explain it.
2 participants
What
When Bitbucket Data Center authentication is enabled, require the bot account:
bitbucket_data_center_bot_token→ nowrequired: true(was "strongly recommended").bitbucket_data_center_bot_username(the bot account's username/slug) →required: true, wired to theBITBUCKET_DATA_CENTER_BOT_USERNAMEenv (_env.yaml/openhands.yaml/values.yaml).openhandschart0.7.61→0.7.62.Why
OpenHands must post BBDC comments/reactions as the bot, never as the mentioning user — a user-authored reply containing
@openhandsre-triggers the webhook and spawns a duplicate conversation (confirmed from a customer support bundle). The app-side fix (OpenHands enterprise) posts as the bot and ignores the bot's own comments using the configured username (slug) — BBDC payloads carry the slug, not a reliable email. Making both required ensures the integration is always in the correct, non-duplicating configuration. Pairs with the OpenHands enterprise PR (BBDC → Jira DC parity).