Webhook secret doesn't work with GitHub

[hcldan]

I realize that I can put the secret in the url of the call.
That is not very secure (secrets should be secret). I would very much rather have the way that github manages secrets to be supported.

https://repl.ca/what-is-x-hub-signature/

[hcldan]

https://github.com/McFoggy/xhub4j

[tomasbjerre]

This issue is poorly described. Not something I can work with. Please provide a clear description if you want something done.

[hcldan]

@tomasbjerre I'm not sure what more you need.

Github sends webhook notifications based on xhub standard. There's a link up there. It means that there are headers which describe a signature of the content of the message (combined with the secret) x-hub-signature header is sent with the signature.

The 2nd link is a java library to help you parse those headers and verify the signatures.

[hcldan]

This prevents the transmission of the secret (token) over the wire, and being visible in the gibthub ui and logs.

[tomasbjerre]

Have you seen this feature? Is that what you want?

[hcldan]

That's part of this plugin? No, I looked for the option around the token validation (which could just happen automatically for defaults (per the spec) based on the secret provided just like you automatically check for headers and bearer token):

If that option exists, we can use it... but I would greatly appreciate it looking for the default (token configured with jenkins secret + x-hub-signature header) for automatic validation

[hcldan]

Actually, I suppose that I can just stop using tokens, but that prevents me from having scoped credentials in the folder for the job.

I'll have to see how important that is to me.

[tomasbjerre]

Yes it is part of the plugin. When configured it will apply to all jobs in that Jenkins installation.

[hcldan]

I guess I was confused by the token being choosable as a jenkins credential. If it's just a filter based thing, I would have expected it to be in something like the configuration provider