Introduce TokenDisabled event for WorkflowRuns

Author: hellcp-work

src/api/.rubocop_todo.yml

@@ -1,12 +1,12 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --exclude-limit 100`
-# on 2026-03-06 12:51:37 UTC using RuboCop version 1.85.1.
+# on 2026-03-16 13:23:45 UTC using RuboCop version 1.85.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 3495
+# Offense count: 3493
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowHeredoc, AllowURI, AllowQualifiedName, URISchemes, AllowRBSInlineAnnotation, AllowCopDirectives, AllowedPatterns, SplitStrings.
 # URISchemes: http, https
@@ -47,7 +47,7 @@ Lint/UselessOr:
   Exclude:
     - 'app/lib/routes_helper/api_matcher.rb'
 
-# Offense count: 923
+# Offense count: 928
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
 Metrics/AbcSize:
   Max: 255
@@ -62,7 +62,7 @@ Metrics/BlockNesting:
     - 'app/models/bs_request_action.rb'
     - 'lib/xpath_engine.rb'
 
-# Offense count: 86
+# Offense count: 87
 # Configuration parameters: CountComments, Max, CountAsOne.
 Metrics/ClassLength:
   Exclude:
@@ -89,6 +89,7 @@ Metrics/ClassLength:
     - 'app/controllers/webui/search_controller.rb'
     - 'app/controllers/webui/staging/workflows_controller.rb'
     - 'app/controllers/webui/users/notifications_controller.rb'
+    - 'app/controllers/webui/users/tokens_controller.rb'
     - 'app/controllers/webui/users_controller.rb'
     - 'app/controllers/webui/webui_controller.rb'
     - 'app/lib/backend/connection.rb'
@@ -244,7 +245,7 @@ Metrics/CyclomaticComplexity:
     - 'test/functional/zzz_post_consistency_test.rb'
     - 'test/node_matcher.rb'
 
-# Offense count: 1004
+# Offense count: 1007
 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
 Metrics/MethodLength:
   Max: 218
@@ -452,13 +453,13 @@ RSpec/AnyInstance:
     - 'spec/models/package_spec.rb'
     - 'spec/models/project_spec.rb'
 
-# Offense count: 1245
+# Offense count: 1236
 # Configuration parameters: Prefixes, AllowedPatterns.
 # Prefixes: when, with, without
 RSpec/ContextWording:
   Enabled: false
 
-# Offense count: 404
+# Offense count: 405
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: SkipBlocks, EnforcedStyle, OnlyStaticConstants.
 # SupportedStyles: described_class, explicit
@@ -566,16 +567,11 @@ RSpec/IndexedLet:
     - 'spec/shared/contexts/a_user_and_subscriptions.rb'
     - 'spec/shared/contexts/a_user_and_subscriptions_with_defaults.rb'
 
-# Offense count: 1728
+# Offense count: 1715
 # Configuration parameters: AllowSubject.
 RSpec/MultipleMemoizedHelpers:
   Max: 28
 
-# Offense count: 1
-RSpec/SpecFilePathSuffix:
-  Exclude:
-    - 'spec/models/package_datatable_spec_backup.rb'
-
 # Offense count: 1
 # This cop supports unsafe autocorrection (--autocorrect-all).
 Rails/ApplicationController:
@@ -733,7 +729,7 @@ Rails/TimeZone:
     - 'test/unit/binary_release_test.rb'
     - 'test/unit/package_remove_test.rb'
 
-# Offense count: 160
+# Offense count: 161
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: EnforcedStyle, EnforcedStyleForClasses, EnforcedStyleForModules.
 # SupportedStyles: nested, compact
@@ -766,7 +762,7 @@ Style/ConditionalAssignment:
   Exclude:
     - 'app/models/bs_request_action_submit.rb'
 
-# Offense count: 1165
+# Offense count: 1169
 # Configuration parameters: AllowedConstants.
 Style/Documentation:
   Enabled: false
@@ -779,7 +775,7 @@ Style/FileOpen:
     - 'script/start_test_backend'
     - 'test/test_helper.rb'
 
-# Offense count: 1928
+# Offense count: 1933
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: always, always_true, never

src/api/app/controllers/person/token_controller.rb

@@ -46,6 +46,7 @@ def update
       xml_attributes = xml.xpath('/token').first.to_h.slice('enabled', 'description', 'scm_token', 'workflow_configuration_path', 'workflow_configuration_url')
 
       token = @user.tokens.find(params[:id])
+      xml_attributes['reason'] = "Disabled by #{User.session.login}." if token.is_a?(Token::Workflow)
       if token.update(xml_attributes)
         render_ok
       else

src/api/app/controllers/webui/users/tokens_controller.rb

@@ -51,7 +51,7 @@ def update
         end
       end
       format.html do
-        if @token.update(update_parameters)
+        if @token.update(update_parameters.merge({ reason: "Disabled by #{User.session.login}." }))
           flash[:success] = 'Token successfully updated'
         else
           flash[:error] = "Failed to update Token: #{@token.errors.full_messages.to_sentence}"

src/api/app/models/event/base.rb

@@ -22,7 +22,7 @@ def notification_events
          Event::CommentForRequest, Event::CommentForReport,
          Event::RelationshipCreate, Event::RelationshipDelete,
          Event::Report, Event::Decision, Event::AppealCreated,
-         Event::WorkflowRunFail,
+         Event::WorkflowRunFail, Event::TokenDisabled,
          Event::AddedUserToGroup, Event::RemovedUserFromGroup,
          Event::Assignment, Event::UpstreamPackageVersionChanged]
       end

src/api/app/models/event/token_disabled.rb

@@ -0,0 +1,52 @@
+module Event
+  class TokenDisabled < Base
+    self.description = 'Workflow token disabled'
+    payload_keys :id, :token_id, :reason
+
+    receiver_roles :token_executor, :token_member
+    delegate :members, to: :token, prefix: true
+
+    self.notification_explanation = 'Receive a notification when a workflow token is disabled.'
+
+    def subject
+      "Workflow Token '#{token.description.presence || token.id}' was disabled"
+    end
+
+    def token_executors
+      [token&.executor].compact
+    end
+
+    def parameters_for_notification
+      super.merge(notifiable_type: 'WorkflowRun', notifiable_id: payload['id'], type: 'NotificationWorkflowRun')
+    end
+
+    def event_object
+      WorkflowRun.find(payload['id'])
+    end
+
+    private
+
+    def token
+      Token.find(payload['token_id'])
+    end
+  end
+end
+
+# == Schema Information
+#
+# Table name: events
+#
+#  id          :bigint           not null, primary key
+#  eventtype   :string(255)      not null, indexed
+#  mails_sent  :boolean          default(FALSE), indexed
+#  payload     :text(16777215)
+#  undone_jobs :integer          default(0)
+#  created_at  :datetime         indexed
+#  updated_at  :datetime
+#
+# Indexes
+#
+#  index_events_on_created_at  (created_at)
+#  index_events_on_eventtype   (eventtype)
+#  index_events_on_mails_sent  (mails_sent)
+#

src/api/app/models/event_subscription/for_channel_form.rb

@@ -7,7 +7,8 @@ class ForChannelForm
                               'Event::WorkflowRunFail', 'Event::AppealCreated',
                               'Event::FavoredDecision', 'Event::ClearedDecision',
                               'Event::AddedUserToGroup', 'Event::RemovedUserFromGroup',
-                              'Event::Assignment', 'Event::UpstreamPackageVersionChanged'].freeze
+                              'Event::Assignment', 'Event::UpstreamPackageVersionChanged',
+                              'Event::TokenDisabled'].freeze
 
     attr_reader :name, :subscription
 

src/api/app/models/notification_workflow_run.rb

@@ -1,6 +1,11 @@
 class NotificationWorkflowRun < Notification
   def description
-    ''
+    case event_type
+    when 'Event::TokenDisabled'
+      event_payload['reason']
+    else
+      ''
+    end
   end
 
   def excerpt
@@ -12,13 +17,24 @@ def avatar_objects
   end
 
   def link_text
-    'Workflow Run'
+    case event_type
+    when 'Event::TokenDisabled'
+      token = Token.find(event_payload['token_id'])
+      "Token '#{token.description.presence || token.id}' was disabled"
+    else
+      'Workflow Run'
+    end
   end
 
   def link_path
     return if notifiable.blank?
 
-    Rails.application.routes.url_helpers.token_workflow_run_path(notifiable.token_id, notifiable.id, notification_id: id)
+    case event_type
+    when 'Event::TokenDisabled'
+      Rails.application.routes.url_helpers.token_path(notifiable.token_id, notification_id: id)
+    else
+      Rails.application.routes.url_helpers.token_workflow_run_path(notifiable.token_id, notifiable.id, notification_id: id)
+    end
   end
 end
 

src/api/app/models/token/workflow.rb

@@ -15,12 +15,16 @@ class Token::Workflow < Token
                           dependent: :destroy,
                           inverse_of: :groups
 
+  attr_writer :reason
+
   validates :scm_token, presence: true
   # Either a url referring to the worklflow configuration file or a filepath to the config inside the
   # SCM repository has to be provided
   validates :workflow_configuration_path, presence: true, unless: -> { workflow_configuration_url.present? }
   validates :workflow_configuration_url, presence: true, unless: -> { workflow_configuration_path.present? }
 
+  after_save :disabled_event, if: -> { enabled_previously_changed?(from: true, to: false) }
+
   def call(options)
     set_triggered_at
     workflow_run = options[:workflow_run]
@@ -81,6 +85,10 @@ def validation_errors
       error_messages.flatten
     end
   end
+
+  def disabled_event
+    Event::TokenDisabled.create(id: workflow_runs.last&.id, token_id: id, reason: @reason)
+  end
 end
 
 # == Schema Information

src/api/app/models/workflow_run.rb

@@ -83,7 +83,9 @@ def update_as_failed(message)
     # "Failed to report back to GitHub: Unauthorized request. Please check your credentials again."
     # "Failed to report back to GitHub: Request is forbidden."
 
-    token.update(enabled: false) if message.include?('Unauthorized request') || /Request (is )?forbidden/.match?(message)
+    return unless message.include?('Unauthorized request') || /Request (is )?forbidden/.match?(message)
+
+    token.update(enabled: false, reason: "Authentication to #{scm_vendor.titleize} failed.")
   end
 
   # Stores debug info to help figure out what went wrong when trying to save a Status in the SCM.

src/api/app/services/notification_service/notifier.rb

@@ -23,7 +23,8 @@ class Notifier
                         'Event::RemovedUserFromGroup',
                         'Event::AssignmentCreate',
                         'Event::AssignmentDelete',
-                        'Event::UpstreamPackageVersionChanged'].freeze
+                        'Event::UpstreamPackageVersionChanged',
+                        'Event::TokenDisabled'].freeze
     CHANNELS = %i[web rss].freeze
     ALLOWED_NOTIFIABLE_TYPES = {
       'BsRequest' => ::BsRequest,
@@ -50,7 +51,8 @@ class Notifier
                         'Event::FavoredDecision',
                         'Event::WorkflowRunFail',
                         'Event::AddedUserToGroup',
-                        'Event::RemovedUserFromGroup'].freeze
+                        'Event::RemovedUserFromGroup',
+                        'Event::TokenDisabled'].freeze
 
     def initialize(event)
       @event = event