Nothing i try seems to trigger my Jenkins webhooks from github
Things to know
My Jenkins instance sits behind a Nginx proxy
I am using the Organization type Jenkins project with a Jenkinsfile
The git user used is using a personal access token and has organization rights and all needed permissions
I have security setup on the Jenkins instance so my Jenkins webhook url is https://foo:bar#jenkins.doctify.co.uk/github-webhook/
The webhook has the accurate set of permissions
This gets the green tick and a 200 response from the Jenkins instance
When using polling to trigger the branch indexing this works correctly
In the logs i only see this sometimes and never a pull request event
INFO: Received POST for https://github.com/doctify/platform
Jul 14, 2016 4:13:40 PM org.jenkinsci.plugins.github.webhook.subscriber.DefaultPushGHEventSubscriber onEvent
My Organization configuration
Jenkins Version 2.13, Git Version 2.7.5
Questions
How do I get this to work?
How do I make it better and have the organization plugin create the webhooks automatically the way I'm sure its meant to do?
Related
Pulled latest jenkins image in docker. Followed the steps of jenkins io. Jenkins runs fine, I am able to create builds which checkout git repos.
What doesn't seem to work, is to create a pipeline for a PRIVATE github repo. The documentation states:
create access token in github [OK]
use it to authenticate [OK]
choose company/project [OK]
choose multibranch repo [OK]
create pipeline [fails]
The wizard complains about that there is no existing Jenkinsfile in my repo. That's incorrect. I do have a Jenkinsfile, which is correct (generated by blueocean too). So I guess the fact the blueocean complains about missing Jenkinsfile is related to not being able to find the project/branches in github. Something with credentials no longer working?
Also, when I follow the steps and try to manually create the pipeline:
Again, a strange error message, again I guess related to something which is broken in credential management, either in jenkins <-> github, or blueocean <-> github.
Last, when I open the build (=pipeline) from jenkins dashboard, I can click on Scan repository log which at least states the error clearly.
ERROR: [Mon Jul 11 12:43:07 UTC 2022] Could not update folder level actions from source blueocean
[Mon Jul 11 12:43:07 UTC 2022] Finished branch indexing. Indexing took 0.23 sec
FATAL: Invalid scan credentials when using anonymous access to connect to basprins/unode on https://api.github.com
Finished: FAILURE
Again, the Personal Access Token is good. I created one with ALL scopes enabled (max rights in my repo) just to be sure nothing is left unchecked. It is "good enough" to login and checkout the branch. It seems to fail with actually creating the pipeline. I have no clue what else can be wrong on my side.
I tried any combination of username/password (legacy email address username + legacy password, or my github username + personal access token, and all 4 possible combinations of the two username/password pairs). Nothing gives.
Is there anybody that can confirm (or deny?) that above is possible, or would be willing to reproduce it on your side? It's an no-brainer docker setup. All you need to create is some temporary PRIVATE github.
Looking forward to an actual answer!
I had the same error and it seems like the jenkins credentials for the personal access token are not getting created automatically. This is how you can check if your issue is the same as mine:
Open the configuration of the multibranch pipeline.
Go to branch sources and then check if there is a name in the dropdown for credentials.
If there is no name then it's the same issue.
The following is what I did to fix it:
Click on Add and create a credential with the following values:
Kind: Choose the option username and password.
username: Enter the github username.
password: Enter the api token you created.
Create the credential by clicking on add.
Choose the credential in the dropdown credentials and save the configuration.
Go to the overview page for the multibranch pipeline (in the old jenkins, not blueocean) and click on Scan repository now to run the scan again with working credentials.
The error should now be resolved.
Again i got stuck to achive the target to trigger deployment once code is pushed to repo, I search the net but i found only old information github is updated and as per there instruction i setup all values but still not working so its look i am missing something I tried to follow the instruction but it seems old http://bytes.babbel.com/en/articles/2014-01-22-github-service-hook-for-aws-ops-works.html
The interface is confusing and i am confused because there is no connection between repo name and opswork service , so what value webhook should send to opswork service ?
Below is what i understood
Setup webhook and it will trigger and send pay load to CI or services as needed once code is pushed to repo (this part is working and send payload to some where) : But this is failing because its Payload URL should i give the opswork service url generated by git hub ?
Opswork services : This is not working ,
App
Given from AWS opswork's app : opswork ID
Stack
Given from AWS opswork's stack: opswork ID
Branch name
Here is the confussion again as per github help i need to give the SHA configured for that app in the AWS OpsWorks Console ? Why should i give SHA not the Master or the link of repo ?
GitHub api url
This is optional what should i give here ?
Aws access key
No issues
Aws secret access key
No issues
GitHub token
Optional : Created token as instructed , Both with token and without token not working.
So If you check opswork is not getting triggered , I thought when i push the changes it may work internally but not.
So its seems web hook and opswork service need to be interact at some level but unable to figure it out :(
I checked git hub help also found nothing for new interface
I checked google and stackoverflow too , but not found any thing
Kindly anyone please answer .
One alternative way would be to set up AWS CodePipeline (CodeDeploy??) to deploy to your AWS Opsworks stack.
CodePipeline is a Continuous Delivery solution from Amazon. Mid 2016 they announced that CodePipeline works with OpsWorks - see their blog announcement: AWS CodePipeline Adds Integration with AWS OpsWorks. There's some walkthroughs there too, depending on what version of OpsWorks your stack is set up for.
(It does feel a bit weird to use a deployment service to deploy to a service that has an existing deployment service... but eh, thought this might help)
The problem is with the process of Github and opswork , if there is any error then both do not report user with error.
I contacted to Github support and luckily they responded me back with error message "The security token included in the request is invalid."
Then i recopied the access key and secret key removed "GitHub api url" as blank and branch name to "master" (so it will always deploy the latest version aka head)
Also make sure you need to set permission again in opswork this is separate to IAM permission ,
Steps -> Goto your stack - Permission and edit -> add user github with permission "IAM Policies Only".
There is no interaction between web hooks and integrations . so you can make use of integration services without web hook :) .
Thanks to Stack overflow , Git-hub both :)
I am familiar with Jenkins Pull Request Builder and I had set up a freestyle job with it to build my project based on the comment that authorized user put. (For example test in prod) in the past.
Now I am trying to use a Jenkins 2.0 with github organization plugin for one of my project.
this is the scenario:
A User is making a PR to master(or some other sensitive branch)
A test is going to get run automatically.
After the test past, an authorized user needs to go to the PR and put a comment Deploy to test environment and then a jenkinsfile that was waiting for this input needs to get trigger.
I just dont know how to do the step 3. how do I make jenkins pipeline job listen for comments in github repo pull requests? the Jenkins documentation is not really clear about the input from user part.
I read this thread answer but the documentation about the Gates approval is really limited.
I know this is super late, but here's some info for future Googlers:
I have a Github webhook that sends the event to a Lambda function that will parse the event for a specific comment string, then create an HTTP POST request for the Jenkins job, which is configured to allow builds to be triggered remotely.
So: open PR > comment on PR 'Deploy to test environment' > webhook sends to AWS APIGateway > AWS SNS topic > AWS Lambda > parse the event for comment > If comment matches, create HTTP POST > Jenkins receives request and runs job
There's a lot of documentation on this, but none of it together, so here are the resources that I used:
Regarding allowing jobs to be triggered remotely:
https://wiki.jenkins-ci.org/display/JENKINS/Remote+access+API
Using Github to trigger Lambda function:
https://aws.amazon.com/blogs/compute/dynamic-github-actions-with-aws-lambda/
Github API. You will want to pay particular attention to the Issues API:
https://developer.github.com/webhooks/
I have setup a build process in VSTS that is pulling source code from a public facing SVN url. It works great when I manually queue the build from the dashboard or if I schedule a build to run at a certain time. However, when a build gets queued by continuous integration it throws the following exception:
An exception occurred while polling the repository. Error: Microsoft.TeamFoundation.Build2.Server.Extensions.BuildPollingException: Unable to connect to a repository at URL '<Path to the URL I am referencing>' --->
SharpSvn.SvnRepositoryIOForbiddenException: Unable to connect to a repository at URL '<Path to the URL I am referencing>' --->
SharpSvn.SvnRepositoryIOForbiddenException: Access to '<Path to the trunk of the repository>' forbidden
When I look at the event log on the server that Subversion lives on, it shows that the build agent is trying to access the URL with an anonymous login, hence the exception I am seeing.
Has anyone ran into this before? I know I have configured the service endpoint correctly with user credentials since it works when I manually fire off or schedule queue the build. I've done pretty extensive searching on this topic but have not found much info that involves VSTS and SVN issues. Any guidance or questions will be greatly appreciated.
The CI's Polling Job is executed by the Job Agent on the TFS server. Apparently, your Job Agent is configured to run as NT AUTHORITY\NETWORK SERVICE (i.e., as DOMAIN\TFSSERVER$). On the other hand, it looks like you VisualSVN Enterprise instance is configured to use NTLM. In this case, basic credentials are not used by the SharpSvn library the Polling Job uses to access the repository. Unfortunately, that's SharpSvn restriction. You either should provide the computer account (DOMAIN\TFSSERVER$) with the READ access to the SVN repository in the VisualSVN server configuration (to continue using NTLM), or disable NTLM on the VisualSVN server to switch to Basic authentication.
[Few technical details]The anonymous requests you see in SVN logs are part of the normal HTTP request flow implemented in the SharpSvn library:
The library first submits an anonymous request to the server.
If the server rejects the request, the library inspects the WWW-Authenticate response headers to detect the authentication scheme
requested by the server.
The WWW-Authenticate: NTLM header has a higher priority comparing to WWW-Authenticate: Basic. That's why username and password
specified in the connection endpoint are not used at all.
If only the WWW-Authenticate: Basic header is present in the response, the library uses a callback function provided by the client
To request credential information. At this point username and
the password specified in the connection endpoint is provided to the
library by the Polling Job.
[Note 1] The Polling Job does not download any sources from the SVN repository, it only requests the list of files changed since its last successful execution and decided if it's time to schedule a build.
[Note 2] If the Polling job continuously fails for the same reason, it reports each 100th failure to TFS as a failed build providing a reason of the failure.
Alex
I look to be having a similar issue. Using TFS 2015 Update 3 and VisualSVN Server 3.4.6. I get the same error with CI polling. On the SVN Server I get the following errors every time TFS polls: Access denied: 'TFSSERVER$' OPTIONS : [client ]
Here TFSSERVER$ is the computer name of our TFS Server.
So I gave DOMAIN\TFSSERVER$ Read Only permissions at the root of the repository and then things worked OK. Not happy that I had to do that of course.
Filed this bug about it: SVN CI Polling Uses TFS Machine Account Not SVN Account Set in the Service EndPoint
There isn't any big difference between CI and manual/scheduled build for SVN repository. When you configure it to continuous integration, it just keeps checking the SVN repository by the Polling interval you set and then run the build if there is any new change. The only difference between them is that you need to set "Filters" for CI and base on the access forbidden error message you get, you don't have the permission to read the path. So you need to check if your account has the read permission to the path you set in "Filters".
I have a GitHub repository which I would like to have notify Jenkins of new commits via a post-receive hook. I've installed the GitHub plugin into Jenkins and have allowed for Jenkins to manage it's own hook URLs. The project has the correct git repository URL and is instructed to "Build when a change is pushed to GitHub". When I have GitHub send a test payload I find this in the nginx webserver that front's Jenkins:
207.97.227.233 - - [15/Sep/2011:07:36:51 +0000] "POST /github-webhook/ HTTP/1.1" 403 561 "-" "-"
I was running SSL so I disabled it to no effect. Do I need to provide special permissions to an anonymous user in the permissions matrix?
Please forgive the lack of configuration files: I'm happy to share those that might exist but I don't know what might be useful to share.
As I don't allow anonymous access, it turns out I needed to create a specific user for GitHub pushes and to grant it Overall read, Job create and Job read. It was also necessary to bundle the authentication into the webhook URL, like so:
https://foo:password#jenkins.example.com/github-webhook/
From Github's instructions ("Configuring global authentication", the first section),
1. Create a user in Jenkins which has, at a minimum, Job/Build permissions
2. Log in as that user (this is required even if you are a Jenkins admin user), then click on the user's name in the top right corner of the page
3. Click 'Configure,' then 'Show API Token...', and note/copy the User ID and API Token.
4. In GitLab, when you create webhooks to trigger Jenkins jobs, use this format for the URL and do not enter anything for 'Secret Token': http://USERID:APITOKEN#JENKINS_URL/project/YOUR_JOB
In my case I used http://USERID:APITOKEN#myIPaddress:808/ and no project/YOUR_JOB
As previously mentioned Jenkins does not allow anonymous access (you don't want people to trigger builds for you!). Adding a username and password in the clear is not the best solution.
1) If your Jenkins is behind a VPN, you need to make sure that your Jenkins webhooks URL are exposed
2) In the GitHub plugin configuration add the correct accessible Jenkins webhook URL(https://jenkins.example.com/github-webhook/) in Override Hook URL
3) Add a secret in the Shared secret section (preferably a long random string). This would be a token sent from Jenkins to GitHub and vice versa for authentication. This should be different from the GitHub Server Credentials!
4) Make sure the user has owner access to add webhooks to your GitHub repos
5) Don't forget to re-register the webhooks after this
https://username:password#jenkins.example.com/github-webhook/ worked for me but the password has to be encoded for the payload to work. My github was not able to contact jenkins due to nginx authorisation but passing username and encoded password worked!