Bug 2023761 - [GITHUB] Allow use of individual api keys for pull requests and push comments instead of single share secret

[dklawren]

Bug 2023761 - Replace single shared GitHub webhook secret with per-bot API keys

Instead of a single github_pr_signature_secret parameter shared across all
GitHub webhook integrations, each bot account now creates a Bugzilla API key
and uses it as their webhook secret. If a key is compromised, only that bot
account needs to be disabled — other integrations are unaffected.

Changes:

• Add github-webhook-bot system group; bot accounts in this group have their
  non-revoked API keys accepted as valid webhook secrets
• Rewrite _verify_signature in Bugzilla/API/V1/Github.pm to query all API
  keys for github-webhook-bot group members, with a fallback to the legacy
  github_pr_signature_secret parameter for backward compatibility
• Mark github_pr_signature_secret as deprecated in the admin UI
• Add API key for github-automation@bmo.tld and assign it to the new group
  in generate_bmo_data.pl
• Update webservices tests to sign webhook payloads with the bot account API
  key instead of the hardcoded shared secret
• Update setup documentation for both webhook endpoints

[Copilot]

Pull request overview

This PR updates Bugzilla’s GitHub webhook authentication to support per-bot secrets (using Bugzilla API keys) instead of a single shared instance parameter, improving revocability and isolating integrations.

Changes:

• Add a new system group (github-webhook-bot) and authenticate GitHub webhooks by trying non-revoked API keys belonging to users in that group (with legacy shared-secret fallback).
• Update QA seed data + REST tests to use the new per-bot API key secret flow.
• Refresh admin parameter help text and public API docs to describe the new setup process.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
Bugzilla/API/V1/Github.pm	Verifies webhook signatures against API keys for users in github-webhook-bot, with legacy shared-secret fallback.
Bugzilla/Install.pm	Adds github-webhook-bot as a system group.
scripts/generate_bmo_data.pl	Seeds a GitHub automation bot API key and adds it to the new group; removes default legacy secret.
qa/config/selenium_test.conf	Adds config entries for the GitHub automation bot login and API key used by tests.
qa/t/rest_github_pull_request.t	Uses the configured GitHub automation API key as the webhook secret in tests.
qa/t/rest_github_push_comment.t	Uses the configured GitHub automation API key as the webhook secret in tests.
docs/en/rst/api/core/v1/github.rst	Updates webhook setup docs to use per-bot API keys and the new group.
template/en/default/admin/params/github.html.tmpl	Marks the legacy shared-secret parameter as deprecated and documents migration steps.
extensions/PhabBugz/Extension.pm	Avoids undef warning by guarding content-type comparison.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

This PR updates Bugzilla’s GitHub webhook authentication model to support per-bot secrets by treating Bugzilla user API keys (for users in a new github-webhook-bot group) as valid webhook secrets, while keeping the legacy shared secret parameter as a migration fallback.

Changes:

• Add system group github-webhook-bot and update webhook signature verification to accept any non-revoked API key owned by a user in that group.
• Update BMO test data + QA configs/tests to use a dedicated github-automation bot API key as the webhook secret.
• Refresh admin parameter help text and public docs to describe the migration and revocation workflow.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
template/en/default/admin/params/github.html.tmpl	Deprecates shared secret param text and documents migration to per-bot secrets.
scripts/generate_bmo_data.pl	Seeds github-automation API key and adds the user to github-webhook-bot; removes default shared secret param seeding.
qa/t/rest_github_push_comment.t	Uses configured github_automation API key as webhook secret in tests.
qa/t/rest_github_pull_request.t	Uses configured github_automation API key as webhook secret in tests.
qa/t/1_test_bug_edit.t	Updates hard-coded group id in Selenium test due to new system group.
qa/config/selenium_test.conf	Adds github_automation login and API key to QA config.
extensions/PhabBugz/Extension.pm	Avoids undef warning by guarding content-type comparison.
docs/en/rst/api/core/v1/github.rst	Updates setup docs to use per-bot API keys and group membership.
Bugzilla/Install.pm	Adds new system group github-webhook-bot.
Bugzilla/API/V1/Github.pm	Implements per-bot API-key-based webhook signature verification + legacy fallback.

Comments suppressed due to low confidence (1)

qa/t/1_test_bug_edit.t:47

• This test hard-codes the numeric group id for the "Master" group (now 32). That value is installation/order-dependent and will change again as soon as another system group is added, making the test unnecessarily brittle. Since you already parse the group id from the current URL right after this, consider removing the strict URL assertion here (or asserting only on action=changeform and group=\d+).

$sel->click_ok("link=Master");
check_page_load($sel,
  q{http://HOSTNAME/editgroups.cgi?action=changeform&group=32});
$sel->title_is("Change Group: Master");
my $group_url = $sel->get_location();
$group_url =~ /group=(\d+)$/;
my $master_gid = $1;

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.