feat(secret): react to secret changed

Author: cbartz

src/charm.py

@@ -34,6 +34,7 @@
     ConfigChangedEvent,
     EventBase,
     InstallEvent,
+    SecretChangedEvent,
     StartEvent,
     StopEvent,
     UpdateStatusEvent,
@@ -245,6 +246,7 @@ def __init__(self, *args: Any, **kwargs: Any) -> None:
         self.framework.observe(
             self.on[PLANNER_INTEGRATION_NAME].relation_broken, self._on_planner_relation_broken
         )
+        self.framework.observe(self.on.secret_changed, self._on_secret_changed)
         self.framework.observe(self.on.check_runners_action, self._on_check_runners_action)
         self.framework.observe(self.on.flush_runners_action, self._on_flush_runners_action)
         self.framework.observe(self.on.update_status, self._on_update_status)
@@ -394,6 +396,14 @@ def _on_config_changed(self, _: ConfigChangedEvent) -> None:
             self._manager_client.flush_runner()
         self.unit.status = ActiveStatus()
 
+    @catch_charm_errors
+    def _on_secret_changed(self, _: SecretChangedEvent) -> None:
+        """Handle secret content rotation (e.g. GitHub App private key)."""
+        logger.info("Secret changed, reconciling")
+        state = self._setup_state()
+        self._reconcile(state)
+        self._manager_client.flush_runner()
+
     @catch_action_errors
     def _on_check_runners_action(self, event: ActionEvent) -> None:
         """Handle the action of checking of runner state.

tests/unit/test_charm.py

@@ -342,6 +342,49 @@ def test__on_config_changed_no_flush(
     harness.charm._manager_client.flush_runner.assert_not_called()
 
 
+def test_on_secret_changed_flushes_runners(monkeypatch: pytest.MonkeyPatch):
+    """
+    arrange: Charm configured with a GitHub App private key secret.
+    act: Update the secret content (triggers secret-changed event).
+    assert: Runners are flushed and service is reconciled.
+    """
+    harness = Harness(GithubRunnerCharm)
+    secret_id = harness.add_user_secret(content={"private-key": "old-pem"})
+    harness.update_config({GITHUB_APP_PRIVATE_KEY_SECRET_ID_CONFIG_NAME: secret_id})
+    harness.begin()
+    state_mock = MagicMock()
+    monkeypatch.setattr("charm.manager_service", MagicMock())
+    harness.charm._manager_client = MagicMock(spec=GitHubRunnerManagerClient)
+    harness.charm._setup_state = MagicMock(return_value=state_mock)
+    harness.charm._check_image_ready = MagicMock(return_value=True)
+
+    harness.set_secret_content(secret_id, {"private-key": "new-pem"})
+
+    harness.charm._manager_client.flush_runner.assert_called_once()
+
+
+def test_on_secret_changed_reconciles_on_any_secret(monkeypatch: pytest.MonkeyPatch):
+    """
+    arrange: Charm configured with a GitHub App private key secret.
+    act: Update an unrelated secret's content.
+    assert: Runners are still flushed (holistic reconcile on any secret change).
+    """
+    harness = Harness(GithubRunnerCharm)
+    secret_id = harness.add_user_secret(content={"private-key": "pem-data"})
+    unrelated_secret_id = harness.add_user_secret(content={"some-key": "some-value"})
+    harness.update_config({GITHUB_APP_PRIVATE_KEY_SECRET_ID_CONFIG_NAME: secret_id})
+    harness.begin()
+    state_mock = MagicMock()
+    monkeypatch.setattr("charm.manager_service", MagicMock())
+    harness.charm._manager_client = MagicMock(spec=GitHubRunnerManagerClient)
+    harness.charm._setup_state = MagicMock(return_value=state_mock)
+    harness.charm._check_image_ready = MagicMock(return_value=True)
+
+    harness.set_secret_content(unrelated_secret_id, {"some-key": "new-value"})
+
+    harness.charm._manager_client.flush_runner.assert_called_once()
+
+
 def test_on_stop_busy_flush_and_cleanup_service(harness: Harness, monkeypatch: pytest.MonkeyPatch):
     """
     arrange: Set up charm with Openstack mode and runner scaler mock.