OCPERT-368: Replace GitHub token with Github app for ERT dashboard

[tomasdavidorg]

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED

https://redhat.atlassian.net/browse/OCPERT-368

Summary by CodeRabbit

• Chores
  • Updated authentication for the release test dashboard to an app-based method and added validation with user-facing warnings/errors when configuration is missing or initialization fails.

[openshift-ci-robot]

@tomasdavidorg: This pull request references OCPERT-368 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED

https://redhat.atlassian.net/browse/OCPERT-368

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3b635ec2-2248-4abb-82ab-f89e98dd148a

📥 Commits

Reviewing files that changed from the base of the PR and between d89fb47 and 767d90e.

📒 Files selected for processing (1)

• tools/auto_release_test_dashboard.py

🚧 Files skipped from review as they are similar to previous changes (1)

• tools/auto_release_test_dashboard.py

---

Walkthrough

Updates the Streamlit dashboard to use GitHub App authentication: reads GITHUB_APP_WRITER_ID and GITHUB_APP_WRITER_PRIVATE_KEY, validates them with early stop, and creates a repository-scoped client via GitHubApp(...).client_for_repo(...) with error handling.

Changes

GitHub App Authentication Setup

Layer / File(s)	Summary
GitHub App authentication setup tools/auto_release_test_dashboard.py	Replaced GITHUB_TOKEN + Github(Auth.Token(...)) with GitHubApp credentials (GITHUB_APP_WRITER_ID, GITHUB_APP_WRITER_PRIVATE_KEY). Added environment variable validation that warns and stops execution if either credential is missing. Repository client is now created via GitHubApp(...).client_for_repo() wrapped in try/except with logging and st.error + st.stop() on failure.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Line 30 uses logger.exception() which logs full exception traceback including local variable github_app_private_key (sensitive API credential) from line 27-28 call to GitHubApp().	Replace logger.exception() with logger.error() to avoid traceback, or use logger.exception() only after clearing sensitive variables from scope.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: migrating from GitHub token authentication to GitHub App authentication for the dashboard.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo tests. Repository is Python-based using unittest, and PR only modifies tools/auto_release_test_dashboard.py (Streamlit dashboard). Check is not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code to review. All test files are Python unittest tests, not Go Ginkgo tests. Custom check is not applicable.
Microshift Test Compatibility	✅ Passed	PR modifies Python dashboard tool, not Ginkgo e2e tests. Custom check for MicroShift test compatibility is not applicable to this Python-only codebase change.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to Python dashboard tooling (auto_release_test_dashboard.py), which is not subject to SNO compatibility checks.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR modifies a Python Streamlit dashboard tool (authentication mechanism), not deployment manifests, operator code, or Kubernetes controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	Not applicable: PR modifies a Streamlit dashboard (Python web app), not a Go OTE binary. No stdout writes in module-level code detected.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies a Python Streamlit dashboard tool, not Ginkgo e2e tests. Check only applies to new Go tests with IPv4/external connectivity assumptions.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the modified file.
Container-Privileges	✅ Passed	PR modifies Python application code; Dockerfiles and K8s manifests contain no privileged container configurations, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation, or unsafe root execution.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign luboterifaj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tools/auto_release_test_dashboard.py`:
- Around line 22-24: Wrap the GitHubApp(github_app_id,
github_app_private_key).client_for_repo(repository_owner, repository_name) call
in a try/except that catches broad initialization errors (e.g., Exception) when
creating gh, log the exception and call streamlit.error with a clear message
before stopping further execution; specifically surround the GitHubApp and
client_for_repo invocation (the code that assigns gh) and on exception call
streamlit.error(...) and return/exit so the Streamlit app doesn't crash.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4a09677e-0b9b-4700-8141-2b19b5144dac

📥 Commits

Reviewing files that changed from the base of the PR and between ee30ced and d89fb47.

📒 Files selected for processing (1)

• tools/auto_release_test_dashboard.py

[openshift-ci]

@tomasdavidorg: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.