cfg: make specifying repos mandatory

Author: yasunariw

documentation/secret_docs.md

@@ -8,41 +8,28 @@ A secrets file stores sensitive information. Unlike the repository configuration
 
 ```json
 {
-    "gh_token": "",
-    "slack_access_token": ""
+    "repos": [
+      {
+        "url": "https://github.com/ahrefs/monorobot",
+        "gh_token": "XXX"
+      }
+    ],
+    "slack_access_token": "XXX"
 }
 ```
 
 | value | description | optional | default |
 |-|-|-|-|
-| `gh_token` | specify to grant the bot access to private repositories; omit for public repositories | Yes | - |
-| `gh_hook_token` | specify to ensure the bot only receives GitHub notifications from pre-approved repositories | Yes | - |
-| `repos` | specify to use Monorobot in multiple repositories (with support for overriding secrets) | Yes | - |
+| `repos` | specify each target repository's url and its secrets | No | - |
 | `slack_access_token` | slack bot access token to enable message posting to the workspace | Yes | try to use webhooks defined in `slack_hooks` instead |
 | `slack_hooks` | list of channel names and their corresponding webhook endpoint | Yes | try to use token defined in `slack_access_token` instead |
 | `slack_signing_secret` | specify to verify incoming slack requests | Yes | - |
 
 Note that either `slack_access_token` or `slack_hooks` must be defined. If both are present, the bot will send notifications using webhooks.
 
-## `gh_token`
-
-Some operations, such as fetching a config file from a private repository, or the commit corresponding to a commit comment event, require a personal access token. Refer [here](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token) for detailed instructions on token generation.
-
-*See `repos` if you need to support multiple repositories that use different tokens.*
-
-## `gh_hook_token`
-
-Refer [here](https://docs.github.com/en/free-pro-team@latest/developers/webhooks-and-events/securing-your-webhooks) for more information on securing webhooks with a token.
-
-*See `repos` if you need to support multiple repositories that use different tokens.*
-
 ## `repos`
 
-Specifies which repositories to accept events from, along with any repository-specific overrides to secrets. If omitted, assumes all notifications come from a single repository and accepts all events.
-
-Secrets defined here take precedence over those defined at the top level of the secrets file.
-
-Repository URLs should be fully qualified (include the protocol), with no trailing backslash.
+Specifies which repositories to accept events from, along with any repository-specific overrides to secrets.
 
 ```json
 [
@@ -58,6 +45,24 @@ Repository URLs should be fully qualified (include the protocol), with no traili
 ]
 ```
 
+| value | description | optional | default |
+|-|-|-|-|
+| `url` | the repository url. | No | - |
+| `gh_token` | specify to grant the bot access to private repositories; omit for public repositories | Yes | - |
+| `gh_hook_token` | specify to ensure the bot only receives GitHub notifications from pre-approved repositories | Yes | - |
+
+### `repos`
+
+Repository URLs should be fully qualified (include the protocol), with no trailing backslash.
+
+### `gh_token`
+
+Some operations, such as fetching a config file from a private repository, or the commit corresponding to a commit comment event, require a personal access token. Refer [here](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token) for detailed instructions on token generation.
+
+### `gh_hook_token`
+
+Refer [here](https://docs.github.com/en/free-pro-team@latest/developers/webhooks-and-events/securing-your-webhooks) for more information on securing webhooks with a token.
+
 ## `slack_access_token`
 
 Required for:

lib/action.ml

@@ -237,9 +237,9 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct
       let signing_key = Context.gh_hook_token_of_secrets secrets repo.url in
       Github.validate_signature ?signing_key ~headers body
     in
-    let repo_is_allowed secrets payload =
+    let repo_is_supported secrets payload =
       let repo = Github.repo_of_notification payload in
-      List.is_empty secrets.repos || List.exists secrets.repos ~f:(fun r -> String.equal r.url repo.url)
+      List.exists secrets.repos ~f:(fun r -> String.equal r.url repo.url)
     in
     try%lwt
       let secrets = Context.get_secrets_exn ctx in
@@ -249,7 +249,7 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct
       match validate_signature secrets payload with
       | Error e -> action_error e
       | Ok () ->
-      match repo_is_allowed secrets payload with
+      match repo_is_supported secrets payload with
       | false -> action_error "unsupported repository"
       | true ->
         ( match%lwt refresh_repo_config ctx payload with

lib/config.atd

@@ -44,24 +44,20 @@ type webhook = {
   channel : string; (* name of the Slack channel to post the message *)
 }
 
-type gh_secrets = {
+type repo_config = {
+  (* Repository url. Fully qualified (include protocol), without trailing slash. e.g. https://github.com/ahrefs/monorobot *)
+  url : string;
   (* GitHub personal access token, if repo access requires it *)
   ?gh_token : string nullable;
   (* GitHub webhook token to secure the webhook *)
   ?gh_hook_token : string nullable;
 }
 
-type repo_config = {
-  url : string;
-  inherit gh_secrets;
-}
-
 (* This is the structure of the secrets file which stores sensitive information, and
    shouldn't be checked into version control.  *)
 type secrets = {
-  inherit gh_secrets;
   (* repo-specific secrets; overrides global values if defined for a given repo *)
-  ~repos <ocaml default="[]"> : repo_config list;
+  repos : repo_config list;
   (* list of Slack webhook & channel name pairs *)
   ~slack_hooks <ocaml default="[]"> : webhook list;
   (* Slack bot token (`xoxb-XXXX`), giving the bot capabilities to interact with the workspace *)

lib/context.ml

@@ -44,12 +44,12 @@ let set_repo_config ctx repo_url config = Stringtbl.set ctx.config ~key:repo_url
 
 let gh_token_of_secrets (secrets : Config_t.secrets) repo_url =
   match List.find secrets.repos ~f:(fun r -> String.equal r.Config_t.url repo_url) with
-  | None -> secrets.gh_token
+  | None -> None
   | Some repos -> repos.gh_token
 
 let gh_hook_token_of_secrets (secrets : Config_t.secrets) repo_url =
   match List.find secrets.repos ~f:(fun r -> String.equal r.Config_t.url repo_url) with
-  | None -> secrets.gh_hook_token
+  | None -> None
   | Some repos -> repos.gh_hook_token
 
 let hook_of_channel ctx channel_name =
@@ -81,6 +81,9 @@ let refresh_secrets ctx =
       match secrets.slack_access_token, secrets.slack_hooks with
       | None, [] -> fmt_error "either slack_access_token or slack_hooks must be defined in file '%s'" path
       | _ ->
+      match secrets.repos with
+      | [] -> fmt_error "at least one repository url must be specified in the 'repos' list in file %S" path
+      | _ :: _ ->
         ctx.secrets <- Some secrets;
         Ok ctx
     end

test/secrets.json

@@ -1,3 +1,8 @@
 {
+    "repos": [
+        {
+            "url": ""
+        }
+    ],
     "slack_access_token": ""
 }

test/test.ml

@@ -22,6 +22,8 @@ let process ~(secrets : Config_t.secrets) ~config (kind, path, state_path) =
   let headers = [ "x-github-event", kind ] in
   let make_test_context event =
     let repo = Github.repo_of_notification @@ Github.parse_exn headers event in
+    (* overwrite repo url in secrets with that of notification for this test case *)
+    let secrets = { secrets with repos = [ { url = repo.url; gh_token = None; gh_hook_token = None } ] } in
     let ctx = Context.make () in
     ctx.secrets <- Some secrets;
     let%lwt _ = State.find_or_add_repo ctx.state repo.url in