Send webhooks without credentials

We can now send webhook data to an SQS queue at AWS without signing the request with credentials. This allows us to trigger Schutzbot from forks and from branches on the main repository. Signed-off-by: Major Hayden <major@redhat.com>
2021-02-10 07:44:14 -06:00 · 2021-02-10 07:44:14 -06:00 · 538f64eb67
commit 538f64eb67
parent 51aa1c771c
2 changed files with 11 additions and 5 deletions
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -59,11 +59,9 @@ jobs:
          WEBHOOK_PAYLOAD: ${{ toJSON(github.event) }}
          SQS_REGION: us-east-1
          SQS_QUEUE_URL: "https://sqs.us-east-1.amazonaws.com/933752197999/schutzbot_webhook_sqs-staging"
-          AWS_ACCESS_KEY_ID: ${{ secrets.WEBHOOK_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.WEBHOOK_AWS_SECRET_ACCESS_KEY }}
        run: |
          #!/bin/bash
-          pip3 install boto3
+          pip3 install boto3 botocore
          schutzbot/send_webhook.py

  shellcheck:
--- a/schutzbot/send_webhook.py
+++ b/schutzbot/send_webhook.py
@ -4,13 +4,21 @@ import json
 import os

 import boto3
+from botocore import UNSIGNED
+from botocore.client import Config

 WEBHOOK_PAYLOAD = os.environ.get("WEBHOOK_PAYLOAD")
 EVENT_NAME = os.environ.get("EVENT_NAME")
-SQS_REGION = os.environ.get("SQS_REGION")
 SQS_QUEUE_URL = os.environ.get("SQS_QUEUE_URL")
+SQS_REGION = os.environ.get("SQS_REGION")

-sqs = boto3.client('sqs', region_name=SQS_REGION)
+sqs = boto3.client(
+    'sqs',
+    region_name=SQS_REGION,
+    config=Config(
+        signature_version=UNSIGNED
+    )
+)

 payload = json.loads(WEBHOOK_PAYLOAD)
 message = {