Wire Azure DevOps webhook secret

ak684 · ak684 · commit 3373658e37a2 · 2026-05-27T18:48:51.000-04:00
diff --git a/charts/openhands-secrets/Chart.yaml b/charts/openhands-secrets/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: openhands-secrets
 description: A Helm chart for OpenHands secrets
 type: application
-version: 0.1.21
+version: 0.1.22
 appVersion: "1.0"
diff --git a/charts/openhands-secrets/templates/azure-devops-app.yaml b/charts/openhands-secrets/templates/azure-devops-app.yaml
@@ -1,4 +1,4 @@
-{{- if or .Values.config.azure_devops_client_id .Values.config.azure_devops_client_secret }}
+{{- if or .Values.config.azure_devops_client_id .Values.config.azure_devops_client_secret .Values.config.azure_devops_webhook_secret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,4 +12,7 @@ data:
   {{- if .Values.config.azure_devops_client_secret }}
   client-secret: {{ .Values.config.azure_devops_client_secret | b64enc | quote }}
   {{- end }}
+  {{- if .Values.config.azure_devops_webhook_secret }}
+  webhook-secret: {{ .Values.config.azure_devops_webhook_secret | b64enc | quote }}
+  {{- end }}
 {{- end }}
diff --git a/charts/openhands-secrets/values.yaml b/charts/openhands-secrets/values.yaml
@@ -66,6 +66,7 @@ config:
   azure_devops_organization: ""
   azure_devops_client_id: ""
   azure_devops_client_secret: ""
+  azure_devops_webhook_secret: ""
 
   # Jira Data Center credentials (OAuth, optional)
   jira_data_center_base_url: ""
diff --git a/charts/openhands/Chart.yaml b/charts/openhands/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 description: OpenHands is an AI-driven autonomous software engineer
 name: openhands
 appVersion: cloud-1.34.0
-version: 0.7.33
+version: 0.7.34
 maintainers:
   - name: rbren
   - name: xingyao
diff --git a/charts/openhands/templates/_env.yaml b/charts/openhands/templates/_env.yaml
@@ -234,6 +234,12 @@
       name: {{ .Values.azureDevOps.auth.existingSecret }}
       key: client-secret
       optional: false
+- name: AZURE_DEVOPS_WEBHOOK_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.azureDevOps.auth.existingSecret }}
+      key: webhook-secret
+      optional: false
 {{- end }}
 {{- if and (index .Values "litellm-helm") (index .Values "litellm-helm" "enabled") }}
 - name: LITE_LLM_API_URL
diff --git a/replicated/config.yaml b/replicated/config.yaml
@@ -483,6 +483,13 @@ spec:
           type: password
           when: 'repl{{ ConfigOptionEquals "azure_devops_auth_enabled" "1" }}'
           required: true
+        - name: azure_devops_webhook_secret
+          title: Azure DevOps Webhook Secret
+          help_text: Shared secret used to authenticate Azure DevOps Service Hook requests to OpenHands.
+          type: password
+          hidden: true
+          value: '{{repl RandomString 32}}'
+          when: 'repl{{ ConfigOptionEquals "azure_devops_auth_enabled" "1" }}'
 
     - name: jira_data_center_integration
       title: Jira Data Center Integration
diff --git a/replicated/openhands.yaml b/replicated/openhands.yaml
@@ -325,7 +325,7 @@ spec:
     # Grouped in order: LLM provider keys; app/infra secrets (admin, postgres,
     # redis, jwt, keycloak, litellm, sandbox, plugin-directory, automation); then
     # auth/integration secrets (bitbucket DC, jira DC, github, gitlab, slack, laminar).
-    secretsChecksum: 'repl{{ sha256sum (printf "%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s" (ConfigOption "anthropic_api_key") (ConfigOption "openai_api_key") (ConfigOption "google_gemini_api_key") (ConfigOption "deepseek_api_key") (ConfigOption "mistral_api_key") (ConfigOption "azure_api_key") (ConfigOption "azure_client_secret") (ConfigOption "groq_api_key") (ConfigOption "openrouter_api_key") (ConfigOption "aws_secret_access_key") (ConfigOption "custom_api_key") (ConfigOption "admin_password") (ConfigOption "postgres_password") (ConfigOption "redis_password") (ConfigOption "jwt_secret") (ConfigOption "keycloak_admin_password") (ConfigOption "keycloak_client_secret") (ConfigOption "litellm_api_key") (ConfigOption "default_api_key") (ConfigOption "sandbox_api_key") (ConfigOption "keycloak_smtp_password") (ConfigOption "plugin_directory_identity_shared_secret") (ConfigOption "plugin_directory_session_secret") (ConfigOption "automation_service_key") (ConfigOption "automation_webhook_secret") (ConfigOption "bitbucket_data_center_client_secret") (ConfigOption "bitbucket_data_center_bot_token") (ConfigOption "azure_devops_client_secret") (ConfigOption "jira_data_center_client_secret") (ConfigOption "jira_data_center_service_account_email") (ConfigOption "jira_data_center_service_account_pat") (ConfigOption "github_oauth_client_secret") (ConfigOption "github_app_webhook_secret") (ConfigOption "gitlab_oauth_client_secret") (ConfigOption "slack_client_secret") (ConfigOption "slack_signing_secret") (ConfigOption "external_postgres_password") (ConfigOption "custom_sandbox_image_registry_password") (ConfigOption "laminar_project_api_key")) }}'
+    secretsChecksum: 'repl{{ sha256sum (printf "%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s" (ConfigOption "anthropic_api_key") (ConfigOption "openai_api_key") (ConfigOption "google_gemini_api_key") (ConfigOption "deepseek_api_key") (ConfigOption "mistral_api_key") (ConfigOption "azure_api_key") (ConfigOption "azure_client_secret") (ConfigOption "groq_api_key") (ConfigOption "openrouter_api_key") (ConfigOption "aws_secret_access_key") (ConfigOption "custom_api_key") (ConfigOption "admin_password") (ConfigOption "postgres_password") (ConfigOption "redis_password") (ConfigOption "jwt_secret") (ConfigOption "keycloak_admin_password") (ConfigOption "keycloak_client_secret") (ConfigOption "litellm_api_key") (ConfigOption "default_api_key") (ConfigOption "sandbox_api_key") (ConfigOption "keycloak_smtp_password") (ConfigOption "plugin_directory_identity_shared_secret") (ConfigOption "plugin_directory_session_secret") (ConfigOption "automation_service_key") (ConfigOption "automation_webhook_secret") (ConfigOption "bitbucket_data_center_client_secret") (ConfigOption "bitbucket_data_center_bot_token") (ConfigOption "azure_devops_client_secret") (ConfigOption "azure_devops_webhook_secret") (ConfigOption "jira_data_center_client_secret") (ConfigOption "jira_data_center_service_account_email") (ConfigOption "jira_data_center_service_account_pat") (ConfigOption "github_oauth_client_secret") (ConfigOption "github_app_webhook_secret") (ConfigOption "gitlab_oauth_client_secret") (ConfigOption "slack_client_secret") (ConfigOption "slack_signing_secret") (ConfigOption "external_postgres_password") (ConfigOption "custom_sandbox_image_registry_password") (ConfigOption "laminar_project_api_key")) }}'
     bitbucketDataCenter:
       enabled: repl{{ ConfigOptionEquals "bitbucket_data_center_auth_enabled" "1" }}
       host: 'repl{{ ConfigOption "bitbucket_data_center_domain" }}'
diff --git a/replicated/secrets.yaml b/replicated/secrets.yaml
@@ -73,6 +73,7 @@ spec:
       azure_devops_organization: '{{repl ConfigOption "azure_devops_organization"}}'
       azure_devops_client_id: '{{repl ConfigOption "azure_devops_client_id"}}'
       azure_devops_client_secret: '{{repl ConfigOption "azure_devops_client_secret"}}'
+      azure_devops_webhook_secret: '{{repl ConfigOption "azure_devops_webhook_secret"}}'
 
       # Jira Data Center secrets (OAuth, optional)
       jira_data_center_base_url: '{{repl ConfigOption "jira_data_center_base_url"}}'
