AWS CodeBuild Github webhook does not update status of PullRequest - github

Using the official guide, created build project to run tests on GitHub PullRequests creation. The webhook is correctly shown on GitHub, builds are being triggered in Codebuild, however, the build status is not shown in Github, despite the option Report build status is set true. If I correctly understood the tutorial, Codebuild has native support of GitHub, and after successful creation of a webhook, the new verification check should be added for PR submission automatically, any suggestions to make this work?

It should work automatically. If builds are triggering but codebuild is not reporting back on the status, then it sounds like the codebuild project no longer has permission to the repo. You could try adding the GitHub source to codebuild again.
"Report build status" actually has no effect when triggered by a webhook, and should always report back in theory (https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html). It's set to false for my project and always updates the pull requests.

Ensure the GitHub user has write access to the repository, and if you're using a Personal Access Token (PAT), ensure the repo:status scope is granted:
Grants read/write access to public and private repository commit statuses. This scope is only necessary to grant other users or services access to private repository commit statuses without granting access to the code.
https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/
(I experienced this issue recently. The PAT had the necessary scopes granted but the GitHub user had read-only access to the repository. Granting the GitHub user write permission solved the problem.)

Related

github actions main repository secret not picked up from pull request build

I'm building out one of my company project through Github actions, in which we are running the workflow from latest pull request raised. I have notice one thing, whenever it tries to execute the secret from main the repository, its gives error as bad credentials.
Same stage when I tried to run from main repository it works fine. Do We have given some permissions to pull request to call secret from main repository.
Any suggestions will help.
By default, pull-request builds don't get access to the secrets to prevent people from using the pull requests to exfiltrate your secrets through a change that reads the environment and sends the data somewhere else.
Due to the dangers inherent to automatic processing of PRs, GitHub’s standard pull_request workflow trigger by default prevents write permissions and secrets access to the target repository. However, in some scenarios such access is needed to properly process the PR. To this end the pull_request_target workflow trigger was introduced.
See here for additional details:
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

GitHub Branch protection rule settings doesn't list CodeBuild project

I am working on integrating codebuild project with GitHub to run as required action for PRs as a Branch Protection Rule.
CodeBuild Settings :
Connected with GItHub Oauth
Enabled status badges
Enabled Rebuild every time a code change is pushed to this repository
Enabled Report build statuses to source provider when your builds start and finish
Added PULLREQUEST events to the webhooks
GitHub Settings :
Codebuild webhook is setup correctly.
Codebuild Oauth app has the AWS region permission
When ever I create/update a PR I see that the codebuild project is running. All good so far.
Now when I am trying to add a branch protection rule, it says
No status checks found
My assumption is when the codebuild is setup with OAuth properly I should be able to list down the codebuild check under branch protection rules settings.
Am I missing something? I am stuck here for almost a day. Any help is appreciated. Thank you.

Azure pipeline doesn't allow to enable pull request validation

While trying to enable Azure pull request validation it throws following error.
Unable to configure a service on the selected GitHub repository. This is likely caused by not having the necessary permission to manage hooks for the selected repository.
I have created a github connection with access token. And enabled all the scopes as follows, What exact scope do I need to enable?
I think the scopes are not the main cause of your issue. I generated different github PATs and found the pipeline with Azure pull request validation enabled can work well even when I only defined part of what you've defined above.
Please check this similar issue, check if you can directly create a webhooks in Github web UI. (Github=>Settings=>Webhooks). And according to reply from Eddie:
If it is a personal repository, only the repository owner can create hooks. If it is an organization repository, you need at least "Admin permissions" which can "Change a repository's settings" with "Adding, removing, and editing webhooks and service hooks permission included.
Hope it helps.

How to allow Travis-CI access to a GitHub organisation with restricted applications access?

If I try to click the “flip switch” next to a new repository in my Travis account, the flip switches but the hooks are never configured and I cannot trigger a build in Travis.
If I look at the console, I can read the following error:
XMLHttpRequest cannot load https://api.travis-ci.org/hooks/123456. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://travis-ci.org' is therefore not allowed access. The response had HTTP status code 500.
This may be linked to my GitHub organisation having activated third-party applications restrictions. Yet, all my previous repositories still build fine, and it's been weeks!
How can I start building a new repository in my Travis organisation account?
This is indeed linked to your organisation having third-party application restrictions, or “third-party whitelisting”.
You may not detect the problem at first since your current public repositories still receive web hooks, so it may be weeks before you get issues with Travis, and the connection with activation may be long lost in your mind.
So, now you've figured out these weird CORS/500 are linked to third-party application restrictions, you need to grant access to Travis again. But how? Travis has already been allowed access and won't ask you again for it upon login!
You have to go to your own user-approved application list in your GitHub profile, and click “View” next to the Travis-CI listing.
If you scroll down, you will get an “Organization access” listing. Your restricted organisation should be listed here, with a cross next to its name. Click “Grant access” to allow Travis into your org.
Everything should be in order now, and you should be able to activate Travis for your repo! You will just need to trigger a build by pushing a new commit after having “flipped the switch”.

GitHub Organization Repo + Jenkins (GitHub Plugin) integration

I have an organization on GitHub with private repositories. I also have Jenkins set up running on port 8080 on a server, with the GitHub plugin installed. I've created an account on GitHub for my jenkins user, which resides in the owners group.
I'm trying to trigger a job on jenkins when a change is pushed to my development branch (or master branch, neither seem to be working).
When I look at the GitHub Hook Logs in Jenkins, it says that Polling has not run yet. When I go to "Manage Jenkins", the GitHub plugin says my account is Verified when I test it.
Any insight on how to configure this? I have multiple repositories I'd like to work with, so deploy keys don't seem like the solution to me.
Update:
As Craig Ringer mentions in his answer, you can select Grant READ permissions for /github-webhook in "Configure Jenkins" under the GitHub plugin settings, allowing the webhook to be called without authentication.
Another update: Webhooks are now (Dec. 2014) available for organization: see WebHooks API for orgs.
Note: the issue 4 of the hudson-github-plugin was about:
Last GitHub Push
Polling has not run yet.
And the conclusion was:
Nevermind, the only missing piece was a permission checkbox for the github user which ain't documented anywhere on the internet.
So is this a permission issue regarding your Jenkins users?
The article "Set up Jenkins-CI on Ubuntu for painless Rails3 app CI testing" includes the following process:
To restrict the CI system and give access to your Team members to use or see the build logs, first you’ve to create an account.
Go to Manage Jenkins > Configure System,
Check the Enable Security checkbox
Under Security Realm, choose Jenkins's own user database
Check the Allow users to sign up checkbox
Under Authorization, choose Project-based Matrix Authorization Strategy
Add first user with the name admin and another with GitHub (Note: the username for Admin access has to be admin) For GitHub named user, just choose the Overall Read only permission. We’ll use this user later with the GitHub hook.
Note: The admin and GitHub user that we’ve added in the above step does not create the User. Then you’ve to create a real user with that same name. Ya, I know, its a bit weird with Jenkins UI.
Go to Manage Jenkins > Manage Users > Create User. Create both admin and GitHub users.
Hooking with the Github web-hooks
Now to run the build automagically when new commit or branch gets pushed onto Github, we have to setup the repository.
Got to the hooks page for your repository. e.g.
github.com/<username>/<project_name>/admin/hooks
Under AVAILABLE SERVICE HOOKS > Post-Receive URLs, add github:github#your-ci-server.com/github-webhook/.
The github:github is the user that we’d created earlier.
Then we have to verify Jenkins with Github. Go to Manage Jenkins > Configure System and under GitHub Web Hook, add your Github username and password and click the Test Credential button to authorize once with Github.
It looks like the accepted answer is no longer necessary with the current version of the GitHub plugin. You can instead check Grant READ permissions for /github-webhook in "Configure Jenkins" under the GitHub plugin settings, allowing the webhook to be called without authentication.
As explained in the help on this option that's quite safe, and frankly no worse than having a user named "github" with password "github" anyway.
There are two ways to achieve automatic builds on Jenkins. What you choose depends on whether GitHub can call the Jenkins server URL you provide. This may not be the case if you are running Jenkins behind a firewall.
If GitHub can reach that URL you can set up the service hook on your repo there.
If not you can set up Jenkins to poll periodically.
You may set up both, but one solution is enough to get it working. I would always go for the first if feasible as it saves resources CPU and traffic wise.
Either way you need the GitHub plugin for Jenkins.
Hope that helps a bit.