How to prevent the need for token for public projects (jenkins)

[halkeye]

Reading over https://github.com/codecov/codecov-python/blob/master/codecov/__init__.py it looks like to me the only reason you need to provide --token= for jenkins and not travis, is because job is set for travis?

Why isn't job set to something (BUILD_NUMBER, or timestamp) for jenkins?

That way token wouldn't be required for public projects.

[stevepeak]

@halkeye it is more than just the job number. We tap TravisCI API to validate build params to ensure the upload is authentic.

If the CI provider has an API endpoint we can not require the token, but until then we must include the token for authentication.

[halkeye]

Jenkins has a built in api that you can get access from a run

What data do you need?

On Jul 27, 2016 5:47 AM, "Steve Peak" notifications@github.com wrote:

@halkeye https://github.com/halkeye it is more than just the job number. We tap TravisCI API to validate build params to ensure the upload is authentic.

If the CI provider has an API endpoint we can not require the token, but until then we must include the token for authentication.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/codecov/codecov-python/issues/70#issuecomment-235574307, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGuB_ZRM1dcUi5OHgfknoZXcX8L9a9Pks5qZ1NvgaJpZM4JV3Wx .

[stevepeak]

Is there documenation this API endpoint? That would be the most help 👍

[halkeye]

Okay I'll see what I can dig up the next time I'm at a computer

I know you can access it through the api link on the bottom of every page

Would be something like /jenkins/job/$build_name/$build_id/api

On Jul 27, 2016 6:23 AM, "Steve Peak" notifications@github.com wrote:

Is there documenation this API endpoint? That would be the most help 👍

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/codecov/codecov-python/issues/70#issuecomment-235583117, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGuBxWirGk4TOQo1pO6t-j0JhxXsNaSks5qZ1vOgaJpZM4JV3Wx .

[halkeye]

https://wiki.jenkins-ci.org/display/JENKINS/Remote+access+API

Has some info too

I don't think it's super documented though

It's also not hard to expose more info through a custom plugin if needed

On Jul 27, 2016 6:28 AM, "Gavin" halkeye@gmail.com wrote:

Okay I'll see what I can dig up the next time I'm at a computer

I know you can access it through the api link on the bottom of every page

Would be something like /jenkins/job/$build_name/$build_id/api

On Jul 27, 2016 6:23 AM, "Steve Peak" notifications@github.com wrote:

Is there documenation this API endpoint? That would be the most help 👍

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/codecov/codecov-python/issues/70#issuecomment-235583117, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGuBxWirGk4TOQo1pO6t-j0JhxXsNaSks5qZ1vOgaJpZM4JV3Wx .

[stevepeak]

I see posting builds, but not an endpoint for GET builds. I would guess it's simply at

curl -X GET JENKINS_URL/job/JOB_NAME/build/BUILD_NUM

There likely is an authorization token required to access this data.

Is there documentation on GET builds?

[halkeye]

I'm not super familiar with the rest apis, but I can ping the mailing list if need be

curl -X GET $BUILD_URL would prevent you needing to build the url yourself

HUDSON_COOKIE

HUDSON_SERVER_COOKIE

JENKINS_SERVER_COOKIE

I'm not sure how (yet) but those can be used during the request for authentication on hitting the urls

https://jenkins.ci.cloudbees.com/job/plugins/job/sauce-ondemand-plugin/338/api/json?pretty=true

^^ has a bunch of info.

On Wed, Jul 27, 2016 at 10:43 AM, Steve Peak notifications@github.com wrote:

I see posting builds, but not an endpoint for GET builds. I would guess it's simply at

curl -X GET JENKINS_URL/job/JOB_NAME/build/BUILD_NUM

There likely is an authorization token required to access this data.

Is there documentation on GET builds?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/codecov/codecov-python/issues/70#issuecomment-235663178, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGuB6RAERpCMXizzcBRJxX7gyVDXzmGks5qZ5jKgaJpZM4JV3Wx .

[stevepeak]

Thanks for the details here. So the environment variables you stated would be used to authorize access to the BUILD_URL endpoint? ❤️ Love it!

How would I use the cookie if I'm making this api request server side?

[halkeye]

Oh I'm totally wrong, those cookies are just random strings for identification purposes.

I'm trying to figure out ways to run codecov tool in public without being able to provide token in a secret way.

If that means writing a helper plugin to expose more data I totally will.

[stevepeak]

That would be great! Here are some ideas of the information we would like to verify in order to accept uploads:

1. repository slug being tested owner/repo
2. if the Jenkins build is still running
3. commit sha being tested
4. branch being tested

[stevepeak]

Here is an example:

{
  "finished": false,
  "build_num": 145,
  "slug": "owner/repo",
  "commit": {
    "sha": "815be8d6e1af1c3449407cc6d085b550f14b907d",
    "branch": "master",
    "is_merge_commit": false
  }
}