Does this plugin work without token and username & password ?

[478859-anurag]

Does this plugin work without toke and username & password if we are integrating Git hub with jenkins?

Because I tried and without token it was complaining to supply either token or username & password.

I can’t supply the username password as in an organisation level you want to use service account for which I only have api key and giving token means adding token in all jenkins declarative pipeline jobs.

• Plugin version 1.67.
• Jenkins version 2.168.

I don’t think you will need more details to answer this 😊

• Your configuration.
  • Variables configured, names, expressions...
  • Pipeline script (See Pipeline section in README)
• Build job log
• Post content received. It can be found in the job execution log. People using GitHub often forget to set the content type in "Manage webhook" when configuring the webhook at GitHub.
• A curl command and its response.
• Expected result and actual result.

You may also have a look at the test cases as they should answer the most common questions:

https://github.com/jenkinsci/generic-webhook-trigger-plugin/tree/master/src/test/resources/org/jenkinsci/plugins/gwt/bdd

If you are fiddling with expressions, you may want to checkout:

• This JSONPath site
• This XPath site
• This regexp site

A Curl command can look something like this:

curl -v -H "Content-Type: application/json" -X POST -d '{ "app":{ "name":"GitHub API", "url":"http://developer.github.com/v3/oauth/" }}' http://localhost:8080/jenkins/generic-webhook-trigger/invoke?token=sometoken

[tomasbjerre]

Yes it does. But you probably don't have Jenkins configured in such an insecure way.

Here is where it happens: https://github.com/jenkinsci/generic-webhook-trigger-plugin/blob/c0cfc1314988ab53676b6e79147ca6acabfd9f8e/src/main/java/org/jenkinsci/plugins/gwt/jobfinder/JobFinderImpersonater.java#L17

Without token the plugin will only find jobs available for the loggen in user. If user is not logged in the plugin will only find publicly available jobs. You probably dont want unauthorized requests to be able to trigger jobs. But if you do, you can have a look at jenkins security settings.

I would configure the plugin in a shared library and set token once.

[478859-anurag]

Right so how can we configure the plugin using shared lib, as I am actually calling shared lib methods in all of my stages in declarative pipeline. If you can guide with an example setup that will be great

[tomasbjerre]

When using scripted pipeline it is the exact same code. Im not sure about declarative.

If you google how to setup trigger in shared library you will probably find something. This part is not specific to this plugin so should be easy to find.

[478859-anurag]

Thanks a lot for prompt response, I will surely check that and implement.

I was just wondering how Normal github Webhook works without token and credentials? Can’t we implement generic webhook trigger as well in the same way so that it will not need token or credentials?

[tomasbjerre]

The plugin for Github that you use probably always does imersonation. This plugin only does it if token was given: https://github.com/jenkinsci/generic-webhook-trigger-plugin/blob/c0cfc1314988ab53676b6e79147ca6acabfd9f8e/src/main/java/org/jenkinsci/plugins/gwt/jobfinder/JobFinderImpersonater.java#L15

It would certainly be possible to always impersonate ACL.impersonate(ACL.SYSTEM) in this plugin as well. But for security reasones I choose not to. As this plugin can consume any JSON and jobs can read any part of it. There are not type checking going on. Anything can be contributed to the build. A Github plugin can choose to only accept valid github webhooks, do type checking and be strict on what environment variables are contributed to the build.

[478859-anurag]

I am working on a problem in which I don’t want to trigger jenkins pipelines at all if the push is done by the jenkins user into Git Hub. As I was using general GitHub webhook, pipeline first stage was itself to change a couple of files and push back the code in same branch/repo. Which again triggers new build in same pipeline creating a never ending loop.

I tried to solve that a little by setting some values and picking those in when condition so that it will run initial check in by user and change a few file and push back the code which triggers next build but as commit message is something I am checking in next build it triggers that build but skips all the stages.

To get rid of the second pipeline build which skips all stages, I thought using generic webhook trigger will be the best way to approch as I can check which user pushed the code and based that decide the trigger.

But now when I see this I think I have to remove the normal github webhook and add generic one. As otherwise normal github webhook will always trigger the pipeline on push of a code irrespective generic one restricting it.

It will be really great to hear you view on this 😊 Thanks in advance!

[tomasbjerre]

check which user pushed the code and based that decide the trigger.

Yes that is how I would solve it. There are examples of that here: https://github.com/jenkinsci/generic-webhook-trigger-plugin/blob/master/src/test/resources/org/jenkinsci/plugins/gwt/bdd/filter-with-variables.feature#L34