Artifactory permission issue since plugin-modernizer-tool was moved to jenkins-infra

[jonesbusy]

Service(s)

Artifactory

Summary

Hi,

Since we move the repo to the jenkins-infra org we cannot use anymore the cd workflow because we lost permission to Artifactory

https://github.com/jenkins-infra/plugin-modernizer-tool/actions/runs/12213040105/job/34072201325

I guess the RPU ignore this repo so we probably need other credentials

I'm not sure if we have other maven repo on jenkins-infra that publish artifact to Artifactory, but can we add those secret to the repo ? (MAVEN_TOKEN and MAVEN_USERNAME)

FYI we started to work on the JReleaser to publish the tap. The idea I had in my is

• Keep the cdworkflow to create the release, publish to Artifactory (only the core dependency since Don't distribute the CLI artifacts (like the far jar) to Artifactory plugin-modernizer-tool#412. The CLI is a fat jar of ~100Mib)
• Use jrelease to attach the far jar CLI in the release (there are option to only attach assets, checksum etc..) and perform the hombrew distribution (A first PR has been merged here Add JReleaser and workflows plugin-modernizer-tool#411 (without the homebrew for the moment)

But right now I'm stuck to use the cd workflow :(

Thank you help ?

Regards,

Reproduction steps

No response

[jonesbusy]

FYI @gounthar

[timja]

The error is:

WARNING	i.j.i.r.GitHubImpl#getRepositoryPublicKey: Failed to retrieve public key for jenkins-infra/plugin-modernizer-tool, response code: 403

[timja]

I've added jenkins-infra-bot as an admin on https://github.com/jenkins-infra/plugin-modernizer-tool.

I think that might sort it. The account is an owner on Jenkinsci but not on jenkins-infra

[gounthar]

Thanks, Tim! 👍

[jonesbusy]

Thanks, I will wait a while to have the token created (since we move the repo we also lost access to credential section of the repo)

[timja]

restored

[jonesbusy]

https://github.com/jenkins-infra/plugin-modernizer-tool/actions/runs/12213775709/job/34073769001#step:5:1

Thanks but seems I still got 401

[timja]

Hmm different error now, 403: https://github.com/jenkins-infra/plugin-modernizer-tool/actions/runs/12214126072/job/34074515556

[jonesbusy]

Mhh that's weird

[jonesbusy]

Could be related to https://github.com/jenkins-infra/repository-permissions-updater/pull/4127/files#diff-fc4047510f5e367e5511180a4da22064a9664ba4e829e36604125741cccb2bcb ?

We didn't perform a release since this PR

[timja]

yeah its probably that, I've been trying to debug it locally to generate the json files but I can't get the tool to run on my machine:

❯ java -DdryRun=true  -DdefinitionsDir=$PWD/permissions -DartifactoryApiTempDir=$PWD/json -DartifactoryUserNamesJsonListUrl=https://reports.jenkins.io/artifactory-ldap-users-report.json -Djava.util.logging.SimpleFormatter.format="%1$tY-%1$tm-%1$td %1$tH:%1$tM:%1$tS %4$s: %5$s%6$s%n" -jar target/repository-permissions-updater-*-bin/repository-permissions-updater-*.jar
2024-12-08 08:58:58.009+0000 [id=1]	INFO	java_util_logging_Logger$log$1#call: Running in dry run mode
Exception in thread "main" groovy.lang.MissingMethodException: No signature of method: static io.jenkins.infra.repository_permissions_updater.ArtifactoryPermissionsUpdater.generateApiPayloads() is applicable for argument types: (File, File) values: [/Users/timja/code/jenkins/repository-permissions-updater/permissions, ...]
	at groovy.lang.MetaClassImpl.invokeStaticMissingMethod(MetaClassImpl.java:1525)
	at groovy.lang.MetaClassImpl.invokeStaticMethod(MetaClassImpl.java:1511)
	at org.codehaus.groovy.runtime.callsite.StaticMetaClassSite.callStatic(StaticMetaClassSite.java:62)
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:55)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:196)
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:216)
	at io.jenkins.infra.repository_permissions_updater.ArtifactoryPermissionsUpdater.main(ArtifactoryPermissionsUpdater.groovy:500)

It runs on CI but for some reason the CD files aren't being generated there and archived: https://ci.jenkins.io/job/Infra/job/repository-permissions-updater/job/master/31402/artifact/json/

[jonesbusy]

Should we try to rollback the RPU to check if it works ?

paths:
-  - "io/jenkins/plugin-modernizer/plugin-modernizer-parent-pom"
-  - "io/jenkins/plugin-modernizer/plugin-modernizer-cli"
-  - "io/jenkins/plugin-modernizer/plugin-modernizer-core"
+  - "io/jenkins/plugin-modernizer/plugin-modernizer-*"

[timja]

yes I think you'll need to re-add the deleted files too

[jonesbusy]

Well... jenkins-infra/repository-permissions-updater#4222

Will see

[dduportal]

Watching the build on trusted.ci for you folks

[jonesbusy]

For the moment it didn't make any change : https://github.com/jenkins-infra/plugin-modernizer-tool/actions/runs/12254160825/job/34184491992

Still 403

[dduportal]

The build(s) just finished with success. Currently checking logs

[dduportal]

• tokens have been updated 18 min ago
• logs shows there are 3 CD components detected for the repo:

10:42:55  2024-12-10 09:42:54.990+0000 [id=1]	INFO	o.c.g.r.c.PlainObjectMetaMethodSite#doInvoke: CD-enabled component 'plugin-modernizer-pom' in repository 'jenkins-infra/plugin-modernizer-tool'
10:42:55  2024-12-10 09:42:54.990+0000 [id=1]	INFO	o.c.g.r.c.PlainObjectMetaMethodSite#doInvoke: CD-enabled component 'plugin-modernizer-core' in repository 'jenkins-infra/plugin-modernizer-tool'
10:42:55  2024-12-10 09:42:55.190+0000 [id=1]	INFO	o.c.g.r.c.PlainObjectMetaMethodSite#doInvoke: CD-enabled component 'plugin-modernizer-cli' in repository 'jenkins-infra/plugin-modernizer-tool'

I got the following logs:

10:18:17  2024-12-10 10:18:17.639+0000 [id=1]	INFO	o.c.g.r.c.PlainObjectMetaMethodSite#doInvoke: Processing repository jenkins-infra/plugin-modernizer-tool for CD
10:18:17  2024-12-10 10:18:17.645+0000 [id=1]	INFO	o.c.g.r.c.PlainObjectMetaMethodSite#doInvoke: Sending POST to https://repo.jenkins-ci.org/access/api/v1/tokens
10:18:17  2024-12-10 10:18:17.648+0000 [id=1]	INFO	java_util_logging_Logger$log$1#call: Generating token with request payload: username=CD-for-jenkins-infra__plugin-modernizer-tool&scope=applied-permissions%2Fgroups%3Areaders%2Cgeneratedv2-cd-jenkins-infra_plugin-modernizer-tool&expires_in=14400
10:18:17  2024-12-10 10:18:17.696+0000 [id=1]	INFO	o.c.g.r.c.PlainObjectMetaMethodSite#doInvoke: POST request to https://repo.jenkins-ci.org/access/api/v1/tokens returned: HTTP 200 OK
10:18:17  2024-12-10 10:18:17.701+0000 [id=1]	INFO	i.j.i.r.GitHubImpl#getRepositoryPublicKey: GET call to retrieve public key for jenkins-infra/plugin-modernizer-tool
10:18:17  2024-12-10 10:18:17.938+0000 [id=1]	INFO	o.c.g.r.c.PlainObjectMetaMethodSite#doInvoke: Public key of jenkins-infra/plugin-modernizer-tool is <REDACTED>
10:18:17  2024-12-10 10:18:17.982+0000 [id=1]	INFO	o.c.g.r.c.PlainObjectMetaMethodSite#doInvoke: Encrypted secrets are username:<REDACTED>; token:<REDACTED>
10:18:17  2024-12-10 10:18:17.983+0000 [id=1]	INFO	i.j.i.r.GitHubImpl#createOrUpdateRepositorySecret: Create/update the secret MAVEN_USERNAME for jenkins-infra/plugin-modernizer-tool encrypted with key <REDACTED>
10:18:18  2024-12-10 10:18:18.203+0000 [id=1]	INFO	i.j.i.r.GitHubImpl#createOrUpdateRepositorySecret: Create/update the secret MAVEN_TOKEN for jenkins-infra/plugin-modernizer-tool encrypted with key <REDACTED>

[jonesbusy]

Now it works.

I saw some token were generated more recently

https://github.com/jenkins-infra/plugin-modernizer-tool/releases/tag/911.v211a_1d5a_7a_a_f

https://github.com/jenkins-infra/plugin-modernizer-tool/actions/runs/12254938546

[dduportal]

Looks like we can close this issue @jonesbusy ?

[jonesbusy]

Sure