cubap
commented
2 months ago refreshing token would also require updating GitHub secrets and Auth0, which may not be feasible. Probably better is an alternate secret we can encode as a backdoor. If the token claim and secret match expectations, we execute.
It used to be that it never mattered whether or not the bot tokens expired. As the RERUM API code has shifted and evolved, this affordance has dissolved. As such, every increment (3 mos? 6mos? 12mos?) the bot token expires. This causes the CI/CD and tests to experience 401s which stop deploys from occurring on dev and prod.
Just like with all other applications, the RERUM API bots should be able to refresh themselves automatically when this occurs. We also have the option to bring back perma-tokens for bots.