Introduce TokenDisabled event for WorkflowRuns

Author: hellcp-work

src/api/.rubocop_todo.yml

@@ -1,12 +1,12 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --exclude-limit 100`
-# on 2026-03-06 12:51:37 UTC using RuboCop version 1.85.1.
+# on 2026-03-16 13:23:45 UTC using RuboCop version 1.85.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 3495
+# Offense count: 3493
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowHeredoc, AllowURI, AllowQualifiedName, URISchemes, AllowRBSInlineAnnotation, AllowCopDirectives, AllowedPatterns, SplitStrings.
 # URISchemes: http, https
@@ -47,7 +47,7 @@ Lint/UselessOr:
   Exclude:
     - 'app/lib/routes_helper/api_matcher.rb'
 
-# Offense count: 923
+# Offense count: 928
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
 Metrics/AbcSize:
   Max: 255
@@ -62,7 +62,7 @@ Metrics/BlockNesting:
     - 'app/models/bs_request_action.rb'
     - 'lib/xpath_engine.rb'
 
-# Offense count: 86
+# Offense count: 87
 # Configuration parameters: CountComments, Max, CountAsOne.
 Metrics/ClassLength:
   Exclude:
@@ -89,6 +89,7 @@ Metrics/ClassLength:
     - 'app/controllers/webui/search_controller.rb'
     - 'app/controllers/webui/staging/workflows_controller.rb'
     - 'app/controllers/webui/users/notifications_controller.rb'
+    - 'app/controllers/webui/users/tokens_controller.rb'
     - 'app/controllers/webui/users_controller.rb'
     - 'app/controllers/webui/webui_controller.rb'
     - 'app/lib/backend/connection.rb'
@@ -244,7 +245,7 @@ Metrics/CyclomaticComplexity:
     - 'test/functional/zzz_post_consistency_test.rb'
     - 'test/node_matcher.rb'
 
-# Offense count: 1004
+# Offense count: 1007
 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
 Metrics/MethodLength:
   Max: 218
@@ -452,13 +453,13 @@ RSpec/AnyInstance:
     - 'spec/models/package_spec.rb'
     - 'spec/models/project_spec.rb'
 
-# Offense count: 1245
+# Offense count: 1236
 # Configuration parameters: Prefixes, AllowedPatterns.
 # Prefixes: when, with, without
 RSpec/ContextWording:
   Enabled: false
 
-# Offense count: 404
+# Offense count: 405
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: SkipBlocks, EnforcedStyle, OnlyStaticConstants.
 # SupportedStyles: described_class, explicit
@@ -566,16 +567,11 @@ RSpec/IndexedLet:
     - 'spec/shared/contexts/a_user_and_subscriptions.rb'
     - 'spec/shared/contexts/a_user_and_subscriptions_with_defaults.rb'
 
-# Offense count: 1728
+# Offense count: 1715
 # Configuration parameters: AllowSubject.
 RSpec/MultipleMemoizedHelpers:
   Max: 28
 
-# Offense count: 1
-RSpec/SpecFilePathSuffix:
-  Exclude:
-    - 'spec/models/package_datatable_spec_backup.rb'
-
 # Offense count: 1
 # This cop supports unsafe autocorrection (--autocorrect-all).
 Rails/ApplicationController:
@@ -733,7 +729,7 @@ Rails/TimeZone:
     - 'test/unit/binary_release_test.rb'
     - 'test/unit/package_remove_test.rb'
 
-# Offense count: 160
+# Offense count: 161
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: EnforcedStyle, EnforcedStyleForClasses, EnforcedStyleForModules.
 # SupportedStyles: nested, compact
@@ -766,7 +762,7 @@ Style/ConditionalAssignment:
   Exclude:
     - 'app/models/bs_request_action_submit.rb'
 
-# Offense count: 1165
+# Offense count: 1169
 # Configuration parameters: AllowedConstants.
 Style/Documentation:
   Enabled: false
@@ -779,7 +775,7 @@ Style/FileOpen:
     - 'script/start_test_backend'
     - 'test/test_helper.rb'
 
-# Offense count: 1928
+# Offense count: 1933
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: always, always_true, never

src/api/app/controllers/person/token_controller.rb

@@ -46,7 +46,9 @@ def update
       xml_attributes = xml.xpath('/token').first.to_h.slice('enabled', 'description', 'scm_token', 'workflow_configuration_path', 'workflow_configuration_url')
 
       token = @user.tokens.find(params[:id])
+      token_enabled = token.enabled
       if token.update(xml_attributes)
+        Event::TokenDisabled.create(id: token.workflow_runs.first&.id, token_id: token.id, user_id: @user.id, reason: "Disabled by #{@user.login}.") if token_enabled && !token.enabled
         render_ok
       else
         render_error status: 400, errorcode: 'invalid_token_attribute_value', message: token.errors.full_messages.to_sentence

src/api/app/controllers/webui/users/tokens_controller.rb

@@ -51,7 +51,12 @@ def update
         end
       end
       format.html do
+        token_enabled = @token.enabled
         if @token.update(update_parameters)
+          if token_enabled && !@token.enabled
+            Event::TokenDisabled.create(id: @token.workflow_runs.first&.id, token_id: @token.id, user_id: User.session.id,
+                                        reason: "Disabled by #{User.session.login}.")
+          end
           flash[:success] = 'Token successfully updated'
         else
           flash[:error] = "Failed to update Token: #{@token.errors.full_messages.to_sentence}"

src/api/app/models/event/base.rb

@@ -22,7 +22,7 @@ def notification_events
          Event::CommentForRequest, Event::CommentForReport,
          Event::RelationshipCreate, Event::RelationshipDelete,
          Event::Report, Event::Decision, Event::AppealCreated,
-         Event::WorkflowRunFail,
+         Event::WorkflowRunFail, Event::TokenDisabled,
          Event::AddedUserToGroup, Event::RemovedUserFromGroup,
          Event::Assignment, Event::UpstreamPackageVersionChanged]
       end

src/api/app/models/event/token_disabled.rb

@@ -0,0 +1,52 @@
+module Event
+  class TokenDisabled < Base
+    self.description = 'Workflow token disabled'
+    payload_keys :id, :token_id, :reason, :user_id
+
+    receiver_roles :token_executor, :token_member
+    delegate :members, to: :token, prefix: true
+
+    self.notification_explanation = 'Receive a notification when a workflow token is disabled.'
+
+    def subject
+      "Workflow Token '#{token.description.presence || token.id}' was disabled"
+    end
+
+    def token_executors
+      [token&.executor].compact
+    end
+
+    def parameters_for_notification
+      super.merge(notifiable_type: 'WorkflowRun', notifiable_id: payload['id'], type: 'NotificationWorkflowRun')
+    end
+
+    def event_object
+      WorkflowRun.find(payload['id'])
+    end
+
+    private
+
+    def token
+      Token.find(payload['token_id'])
+    end
+  end
+end
+
+# == Schema Information
+#
+# Table name: events
+#
+#  id          :bigint           not null, primary key
+#  eventtype   :string(255)      not null, indexed
+#  mails_sent  :boolean          default(FALSE), indexed
+#  payload     :text(16777215)
+#  undone_jobs :integer          default(0)
+#  created_at  :datetime         indexed
+#  updated_at  :datetime
+#
+# Indexes
+#
+#  index_events_on_created_at  (created_at)
+#  index_events_on_eventtype   (eventtype)
+#  index_events_on_mails_sent  (mails_sent)
+#

src/api/app/models/event_subscription/for_channel_form.rb

@@ -7,7 +7,8 @@ class ForChannelForm
                               'Event::WorkflowRunFail', 'Event::AppealCreated',
                               'Event::FavoredDecision', 'Event::ClearedDecision',
                               'Event::AddedUserToGroup', 'Event::RemovedUserFromGroup',
-                              'Event::Assignment', 'Event::UpstreamPackageVersionChanged'].freeze
+                              'Event::Assignment', 'Event::UpstreamPackageVersionChanged',
+                              'Event::TokenDisabled'].freeze
 
     attr_reader :name, :subscription
 

src/api/app/models/notification_workflow_run.rb

@@ -1,6 +1,11 @@
 class NotificationWorkflowRun < Notification
   def description
-    ''
+    case event_type
+    when 'Event::TokenDisabled'
+      event_payload['reason']
+    else
+      ''
+    end
   end
 
   def excerpt
@@ -12,13 +17,24 @@ def avatar_objects
   end
 
   def link_text
-    'Workflow Run'
+    case event_type
+    when 'Event::TokenDisabled'
+      token = Token.find(event_payload['token_id'])
+      "Token '#{token.description.presence || token.id}' was disabled"
+    else
+      'Workflow Run'
+    end
   end
 
   def link_path
     return if notifiable.blank?
 
-    Rails.application.routes.url_helpers.token_workflow_run_path(notifiable.token_id, notifiable.id, notification_id: id)
+    case event_type
+    when 'Event::TokenDisabled'
+      Rails.application.routes.url_helpers.token_path(notifiable.token_id, notification_id: id)
+    else
+      Rails.application.routes.url_helpers.token_workflow_run_path(notifiable.token_id, notifiable.id, notification_id: id)
+    end
   end
 end
 

src/api/app/models/workflow_run.rb

@@ -83,7 +83,10 @@ def update_as_failed(message)
     # "Failed to report back to GitHub: Unauthorized request. Please check your credentials again."
     # "Failed to report back to GitHub: Request is forbidden."
 
-    token.update(enabled: false) if message.include?('Unauthorized request') || /Request (is )?forbidden/.match?(message)
+    return unless message.include?('Unauthorized request') || /Request (is )?forbidden/.match?(message)
+
+    token.update(enabled: false)
+    Event::TokenDisabled.create(id: id, token_id: token.id, reason: "Authentication to #{scm_vendor.titleize} failed.")
   end
 
   # Stores debug info to help figure out what went wrong when trying to save a Status in the SCM.

src/api/app/services/notification_service/notifier.rb

@@ -23,7 +23,8 @@ class Notifier
                         'Event::RemovedUserFromGroup',
                         'Event::AssignmentCreate',
                         'Event::AssignmentDelete',
-                        'Event::UpstreamPackageVersionChanged'].freeze
+                        'Event::UpstreamPackageVersionChanged',
+                        'Event::TokenDisabled'].freeze
     CHANNELS = %i[web rss].freeze
     ALLOWED_NOTIFIABLE_TYPES = {
       'BsRequest' => ::BsRequest,
@@ -50,7 +51,8 @@ class Notifier
                         'Event::FavoredDecision',
                         'Event::WorkflowRunFail',
                         'Event::AddedUserToGroup',
-                        'Event::RemovedUserFromGroup'].freeze
+                        'Event::RemovedUserFromGroup',
+                        'Event::TokenDisabled'].freeze
 
     def initialize(event)
       @event = event

src/api/app/views/event_mailer/token_disabled.html.haml

@@ -0,0 +1,13 @@
+%p
+  - token = Token.find(event['token_id'])
+  The Workflow Token '#{token.description.presence || token.id}' was disabled.
+
+- if event['reason']
+  %p
+    = event['reason']
+
+%p
+  - if event['user_id']
+    Check the details about this #{link_to('Token', token_url(event['token_id'], only_path: false, host: @host)) }.
+  - else
+    Check the details about this #{link_to('Workflow Run', token_workflow_run_url(event['token_id'], event['id'], only_path: false, host: @host)) }.