Skip to content

[TT-17507] Migrate jira-linter auth from JIRA_TOKEN to JIRA_READ_AUTH#141

Merged
buraksezer merged 1 commit into
mainfrom
feat/TT-17507/refactor-jira-linter-auth
Jul 2, 2026
Merged

[TT-17507] Migrate jira-linter auth from JIRA_TOKEN to JIRA_READ_AUTH#141
buraksezer merged 1 commit into
mainfrom
feat/TT-17507/refactor-jira-linter-auth

Conversation

@buraksezer

@buraksezer buraksezer commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Migrates jira-linter from the expiring full-access JIRA_TOKEN to the scoped, read-only JIRA_READ_AUTH token. This is the same auth mechanism that branch-suggestion already uses.

  • Replace separate JIRA_USER_EMAIL + JIRA_TOKEN with single pre-encoded JIRA_READ_AUTH
  • Use JIRA_BASE_URL secret instead of hardcoded https://tyktech.atlassian.net
  • Update external repo checkout ref from main to production
  • Add new test cases for branch name patterns with slashes and complex suffixes

@buraksezer buraksezer requested a review from a team July 2, 2026 10:34
@probelabs

probelabs Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This PR migrates the jira-linter GitHub Action from using a full-access JIRA_TOKEN to a scoped, read-only JIRA_READ_AUTH secret. This change enhances security by adopting a principle of least privilege and aligns the authentication mechanism with other internal tools like the branch-suggestion action.

The update replaces the JIRA_USER_EMAIL and JIRA_TOKEN secrets with a single, pre-encoded JIRA_READ_AUTH string. It also introduces a JIRA_BASE_URL secret to avoid hardcoding the Jira instance URL. To ensure user-facing links in PR descriptions remain functional, the browsable Jira site URL is now hardcoded, decoupling it from the API base URL.

Additionally, the external action checkout reference is updated from main to production for better stability, and test coverage is improved with new cases for complex branch name patterns.

Files Changed Analysis

  • .github/workflows/jira-lint.yaml: The reusable workflow is updated to accept JIRA_READ_AUTH and JIRA_BASE_URL secrets, replacing the old JIRA_USER_EMAIL and JIRA_TOKEN. The checkout ref for TykTechnologies/github-actions is changed from main to production.
  • jira-linter/.gitignore: A new file is added to ignore the compiled linter binary, which is a good repository practice.
  • jira-linter/README.md: Documentation is updated to reflect the new authentication method, guiding users on how to create and configure the JIRA_READ_AUTH secret.
  • jira-linter/action.yaml: The action's input interface is modified, removing jira-user-email and jira-api-token in favor of the new jira-read-auth input.
  • jira-linter/cmd/linter/config.go: The JiraConfig struct is updated to store ReadAuth instead of UserEmail and APIToken.
  • jira-linter/cmd/linter/main.go: The core application logic is changed to use the pre-encoded JIRA_READ_AUTH token directly in the Authorization header. A hardcoded jiraSiteURL is added to generate correct browsable links in PR descriptions.
  • jira-linter/cmd/linter/main_test.go: Tests are updated to align with the new authentication logic and to cover more complex branch naming conventions.

Architecture & Impact Assessment

What this PR accomplishes:
This PR strengthens the security of CI/CD workflows by replacing a Jira API token with broad permissions with a read-only, scoped token. It also improves configuration management by abstracting the Jira base URL into a secret and standardizes the authentication pattern across multiple internal tools.

Key technical changes introduced:

  • Authentication Flow: The authentication mechanism is shifted from dynamically creating a Base64-encoded token from email and a raw token to using a pre-encoded JIRA_READ_AUTH secret directly.
  • Configuration: The action's configuration is simplified to two secrets (JIRA_READ_AUTH, JIRA_BASE_URL) from three.
  • URL Handling: The Jira API base URL and the user-facing site URL are now treated as separate entities, preventing broken links in PR descriptions when a non-browsable API URL is used.

Affected system components:

  • The jira-linter GitHub Action and its reusable workflow (.github/workflows/jira-lint.yaml).
  • All repositories within the organization that utilize this reusable workflow. These repositories will need to update their GitHub secrets to use JIRA_READ_AUTH and JIRA_BASE_URL for the linter to function correctly.

Visualizing the Authentication Flow Change:

Before:

graph TD
    A[Workflow Secrets] -- "JIRA_USER_EMAIL, JIRA_TOKEN" --> B(Go Linter);
    B -- "Concatenates & Base64 Encodes" --> C(Authorization Header);
    C --> D[Jira API];
Loading

After:

graph TD
    A[Workflow Secrets] -- JIRA_READ_AUTH --> B(Go Linter);
    B -- Uses directly --> C(Authorization Header);
    C --> D[Jira API];
Loading

Scope Discovery & Context Expansion

The changes in this PR are confined to the jira-linter action but have a broad impact on all projects that consume it. The migration to JIRA_READ_AUTH is part of a larger effort to standardize security practices, as evidenced by the mention of the branch-suggestion action already using this pattern.

Any repository calling the jira-lint.yaml workflow must perform the following actions to adapt to this change:

  1. Generate a new scoped, read-only Jira API token.
  2. Create a Base64-encoded string of your-email:your-token.
  3. Update repository secrets by removing JIRA_USER_EMAIL and JIRA_TOKEN and adding JIRA_READ_AUTH (with the encoded value) and JIRA_BASE_URL (with the Jira API URL, e.g., https://api.atlassian.com/ex/jira/<cloudId>).

Failure to update the secrets in consuming repositories will cause their CI checks that rely on the Jira linter to fail.

Metadata
  • Review Effort: 2 / 5
  • Primary Label: enhancement

Powered by Visor from Probelabs

Last updated: 2026-07-02T10:37:03.351Z | Triggered by: pr_opened | Commit: 77ce5a4

💡 TIP: You can chat with Visor using /visor ask <your question>

@probelabs

probelabs Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Security Check Passed

No security issues found – changes LGTM.

\n\n

Architecture Issues (1)

Severity Location Issue
🟡 Warning jira-linter/cmd/linter/main.go:200
The Jira site URL is hardcoded as `https://tyktech.atlassian.net`. This couples the action to a specific organization's Jira instance, reducing its reusability for other users. The action's documentation suggests it is for general use, but this hardcoded value makes the feature that posts a browsable link to the PR description specific to Tyk.
💡 SuggestionTo maintain reusability, the Jira site URL should be configurable. Introduce a new input in `action.yaml`, such as `jira-site-url`, to allow users to provide their own browsable Jira URL. This would decouple the action from a specific environment and align the implementation with the generic documentation.

✅ Performance Check Passed

No performance issues found – changes LGTM.


Powered by Visor from Probelabs

Last updated: 2026-07-02T10:36:02.283Z | Triggered by: pr_opened | Commit: 77ce5a4

💡 TIP: You can chat with Visor using /visor ask <your question>

@asutosh asutosh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@buraksezer buraksezer merged commit c414703 into main Jul 2, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants