Skip to content

Fix pullpreview enterprise token injection#21

Merged
crohr merged 10 commits intomainfrom
poc/pullpreview-enterprise-token-values-file
Apr 14, 2026
Merged

Fix pullpreview enterprise token injection#21
crohr merged 10 commits intomainfrom
poc/pullpreview-enterprise-token-values-file

Conversation

@crohr
Copy link
Copy Markdown
Member

@crohr crohr commented Apr 14, 2026
edited
Loading

Summary

This refactors the PullPreview workflows to stop transporting the OpenProject enterprise token through chart_set and instead render it through a checked-in Helm values template. The dispatch and scheduled workflows now share a single pullpreview/stack-values.yaml.gotmpl file, and the dispatch workflow passes only its optional override values as environment variables into the PullPreview action.

Root Cause

The original setup relied on chart_set to carry the enterprise token into the preview deployment. In PullPreview, chart_set is parsed as a comma-separated list and then translated into Helm --set arguments, which is a bad transport for a large opaque token payload.

The chart already supports seeding OPENPROJECT_SEED__ENTERPRISE__TOKEN through the generated OpenProject environment secret, so the safer path is to render that value into a Helm values file and let the chart consume it normally.

What Changed

  • Pinned pullpreview/action to 65df5209b58f360444525f1167f9e14803521fed, which includes local *.gotmpl rendering support for chart_values and the rebuilt dist bundle.
  • Replaced the old generated dispatch values flow with one checked-in template: pullpreview/stack-values.yaml.gotmpl.
  • Moved the enterprise token into openproject.environment.OPENPROJECT_SEED__ENTERPRISE__TOKEN inside that shared template.
  • Removed chart_set token injection entirely.
  • Removed the separate token overlay and dispatch-generated values file in favor of the single shared template.
  • Kept the dispatch workflow inputs unchanged, but mapped them to plain internal env names like OPENPROJECT_VERSION and INTEGRATION_OPENPROJECT_VERSION instead of INPUT_* names.
  • Kept the scheduled PullPreview workflow on the same shared template, with default behavior when override env vars are absent.
  • Preserved the job-summary secondary URLs step in the scheduled PullPreview workflow.

Validation

  • Parsed .github/workflows/pullpreview.yml and .github/workflows/pullpreview-dispatch.yml successfully after each refactor step.
  • Verified there are no remaining INPUT_ references in the workflow/template path.
  • Reviewed the final diff against main; no code-level regression stood out in the current branch.

Follow-up Validation

  • Run one scheduled PullPreview deployment.
  • Run one pullpreview-dispatch.yml deployment from openproject-e2e.
  • Confirm OpenProject comes up licensed without manual token application.

@crohr crohr changed the title [codex] fix pullpreview enterprise token injection Fix pullpreview enterprise token injection Apr 14, 2026
@crohr crohr marked this pull request as ready for review April 14, 2026 13:16
@crohr crohr added pullpreview Trigger PullPreview preview environments auth-sso-external Use PullPreview with external Keycloak SSO labels Apr 14, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 14, 2026
edited
Loading

Deploying integration-qa-helmfile with PullPreview

Field Value
Latest commit a225f7b
Job deploy
Status 🗑️ Preview destroyed
Preview URL Destroyed

View logs

@crohr crohr merged commit 184e7cf into main Apr 14, 2026
6 of 7 checks passed
@github-actions github-actions bot removed the pullpreview Trigger PullPreview preview environments label Apr 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auth-sso-external Use PullPreview with external Keycloak SSO

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@crohr