Add webhook to notify provider team when a new branch/tag of a pact has been created

[Koriit]

Hello, we are using Pact Broker for pacts management and we are leveraging webhooks to implement automatic verifications. To limit the number of firing verifications, we create our webhooks on contract_content_changed event - as recommended. Furthermore, we manage pacts with tags. To be sure our providers are not impeached by some junk and wip pacts we introduced a rule that only tagged pacts are "official" and verified in our verification pipelines.

However, this leads to an issue. If a pact is created without a tag, then our verification pipeline would ignore it and the webhook will never be triggered again for the same pact file. Adding a tag later on helps but it still requires that we trigger the verification manually.

It would be great if there was some webhook that could be triggered when a pact still hadn't been verified and new version/tag is created that points to it.

[bethesque]

Have you looked into the WIP pacts feature? This might solve your problem. http://blog.pact.io/2020/02/24/introducing-wip-pacts/

[samzee]

@bethesque I just recently setup a Pact Broker, and trying to setup a Webhook to trigger my jenkins build , but i'm still unsuccessful in my attempt, my question is i can't see any logs or errors while executing webhook, it says look here https://docs.pact.io/pact_broker/advanced_topics/api_docs/webhooks/#webhook-whitelist, i directly took the image from the docker hub, is there any way via API to update config.webhook_host_whitelist = [] value, without having to download the code , and push a new image? Thanks for reading, any help is much appreciated

[samzee]

HI @Koriit, Do u have a sample of how u created webhooks and what configurations u had to update at pact Broker to get it working, i'm trying to do the same, so far no luck, i am using pact broker 2.58.3 version image, Jenkins as CI tool, I tried creating the webhook as per instructions from official page, but not able to trigger Jenkins Build , and not able to check the logs as by default it is disabled, Any sample would be great thanks

[bethesque]

The docs for setting the webhook whitelist for the docker image are here: https://github.com/pact-foundation/pact-broker-docker#webhook-whitelists

The docs for how the whitelists work are here: https://docs.pact.io/pact_broker/configuration#webhook-whitelists (note that the examples given are for the underlying Ruby app, and that you need to set them via the env vars in the docker image as documented in the link above).

The docs for debugging webhooks are here: https://docs.pact.io/pact_broker/webhooks/debugging_webhooks

You can find all of these docs by going to docs.pact.io, clicking "Search" and typing in "webhooks".

[samzee]

The docs for setting the webhook whitelist for the docker image are here: https://github.com/pact-foundation/pact-broker-docker#webhook-whitelists

The docs for how the whitelists work are here: https://docs.pact.io/pact_broker/configuration#webhook-whitelists (note that the examples given are for the underlying Ruby app, and that you need to set them via the env vars in the docker image as documented in the link above).

The docs for debugging webhooks are here: https://docs.pact.io/pact_broker/webhooks/debugging_webhooks

You can find all of these docs by going to docs.pact.io, clicking "Search" and typing in "webhooks".

Thanks for getting back to me so quickly,, i tried all those steps, created the webhook, but i keep getting invalid jenkins crumb , upstream request failed or timeout errors, any examples for setting up webhook to trigger jenkins job based on any event?? A jenkins example would really help me here,, thanks

[bethesque]

You'll need to look at the Jenkins docs - I'm not a Jenkins expert or help desk. Have you googled the error? I have some kind of memory of Jenkins being difficult because it needed a two step request/response process, unless some setting was configured the right way.

I recommend getting the request working outside of the broker (eg. with a curl request, or with node, or Postman, or whatever tool you're familiar with), and once you've got that working, translate it into a webhook. You could try asking in the #pact-broker channel of our Slack community (join at https://slack.pact.io).

We do have the template library that people have built up over the years, but it seems that nobody has contributed a Jenkins one. Maybe you can add one once you've gotten it working.

[Koriit]

@samzee as already pointed out, the problem likely lies on the Jenkins side.

In my setup, I am using GitLab pipelines. Given a pipeline trigger I create a webhook like this:

pact-broker create-webhook "https://mygitlab.net/api/v4/projects/833/ref/master/trigger/pipeline?token=__TOKEN__&variables[VERIFY_SERVICE_PACTS]=true&variables[PACTICIPANT]=\${pactbroker.providerName}" \
--provider=__PROVIDER__ \
--request=POST \
--contract-content-changed \
--broker-base-url=https://mypactbroker.net \
--broker-username=__USER__ \
--broker-password=__PASS__

VERIFY_SERVICE_PACTS is just there as a guard so that the pipeline is not accidentally triggered in other ways. PACTICIPANT is the actual variable/param that passes the name of the provider to verify. I am using one pipeline/script (plus some mapping provider->repo) to verify any provider as our applications use gradle and have common verifyPact task.

This hook must be created for every provider. You can make it global if you omit the --provider param but in such a case, the pipeline would be triggered for every pact change which would be a waste of compute resources.

[Koriit]

@bethesque it took me a while but I have finally found the time to read about WIP pacts. It is certainly an interesting feature and fills the void in pacts testing on feature branches.

However, it does not resolve my problem.

When we verify pacts, all the pacts that we need to be verified are verified. But only when it runs. We have separate pipelines to trigger pact verification apart from provider's build. To trigger those verification pipelines we leverage Pact Broker's webhooks functionality. This way, consumer teams can get their pacts verified as soon as they are published without even engaging the provider teams (verification logs and results are even uploaded to Report Portal so all the more good stuff).

And again the actual problem is when verification pipeline experiences some critical failure like runner shutdown etc. As a result, no verification results are uploaded back to the pact broker and pact broker does not fire the hook ever again (on contract_content_changed) for the same pact (no matter how many new consumer versions are tagged). The lack of verifications causes can-I-deploy to complain and we have to trigger verification pipelines manually.

Right now we are considering additionally running all verifications every night or two. But that seems to be a waste of computing resources. :(

[bethesque]

I think I understand your use case now. You want a webhook to be triggered when a pact is published with content that has not yet been verified. unverified_contract_content_published

What you're asking for, however, is for me to add a feature to the Pact Broker because of an issue with the unreliability of your test environment. To me, the thing that needs fixing is your test runners - however, I'm guessing that this is an ongoing and frustrating issue for you that you would have already spent much time on, otherwise you wouldn't be asking for this feature to workaround it.

I'll give it some thought. It's not something that anyone else has asked for, and there are many things higher on the priority list I'm afraid. Can you please raise the feature request in pact.canny.io?

[Koriit]

A quick search did not yield any matching feature requests, so, as asked: https://pact.canny.io/feature-requests/p/trigger-webhook-if-pact-not-verified

@bethesque you are correct in pointing that the actual issue is with our pipelines. However, I believe it is not that uncommon. One only needs a DNS server to be refreshing for some things to fail miserably (like downloading a Docker image). Networking is even more vulnerable in cloud environments, which is all the hype now. Plus some might want to use things like preemptible vms to cut the costs. This feature would improve the overall fault tolerance of the whole system.

Thanks!

[bethesque]

Fair point. Build for failure! There are a few people looking for hacktober contributions, so I'll see if someone is up for it.

[bethesque]

@Koriit do you want it to fire if there are no verification results, or if there are no successful verification results?

[bethesque]

TODO:

• Add new event type unverified_contract_content_published to https://github.com/pact-foundation/pact_broker/blob/master/lib/pact_broker/webhooks/webhook_event.rb
• Add logic to trigger service to fire when the newly published content does not have any verification results (or no successful verification results depending on response to previous comment) https://github.com/pact-foundation/pact_broker/blob/master/lib/pact_broker/webhooks/trigger_service.rb
• Might need to add a new method to the verifications repository to find the verifications for the pact version https://github.com/pact-foundation/pact_broker/blob/master/lib/pact_broker/verifications/repository.rb

[Koriit]

@bethesque I believe failed verification results are failed for a reason and no retrying would change that. So all we need is to trigger a webhook when there are no results whatsoever.