Jenkins and GitHub webhook: HTTP 403 - github

I have a GitHub repository which I would like to have notify Jenkins of new commits via a post-receive hook. I've installed the GitHub plugin into Jenkins and have allowed for Jenkins to manage it's own hook URLs. The project has the correct git repository URL and is instructed to "Build when a change is pushed to GitHub". When I have GitHub send a test payload I find this in the nginx webserver that front's Jenkins:
207.97.227.233 - - [15/Sep/2011:07:36:51 +0000] "POST /github-webhook/ HTTP/1.1" 403 561 "-" "-"
I was running SSL so I disabled it to no effect. Do I need to provide special permissions to an anonymous user in the permissions matrix?
Please forgive the lack of configuration files: I'm happy to share those that might exist but I don't know what might be useful to share.

As I don't allow anonymous access, it turns out I needed to create a specific user for GitHub pushes and to grant it Overall read, Job create and Job read. It was also necessary to bundle the authentication into the webhook URL, like so:
https://foo:password#jenkins.example.com/github-webhook/

From Github's instructions ("Configuring global authentication", the first section),
1. Create a user in Jenkins which has, at a minimum, Job/Build permissions
2. Log in as that user (this is required even if you are a Jenkins admin user), then click on the user's name in the top right corner of the page
3. Click 'Configure,' then 'Show API Token...', and note/copy the User ID and API Token.
4. In GitLab, when you create webhooks to trigger Jenkins jobs, use this format for the URL and do not enter anything for 'Secret Token': http://USERID:APITOKEN#JENKINS_URL/project/YOUR_JOB
In my case I used http://USERID:APITOKEN#myIPaddress:808/ and no project/YOUR_JOB

As previously mentioned Jenkins does not allow anonymous access (you don't want people to trigger builds for you!). Adding a username and password in the clear is not the best solution.
1) If your Jenkins is behind a VPN, you need to make sure that your Jenkins webhooks URL are exposed
2) In the GitHub plugin configuration add the correct accessible Jenkins webhook URL(https://jenkins.example.com/github-webhook/) in Override Hook URL
3) Add a secret in the Shared secret section (preferably a long random string). This would be a token sent from Jenkins to GitHub and vice versa for authentication. This should be different from the GitHub Server Credentials!
4) Make sure the user has owner access to add webhooks to your GitHub repos
5) Don't forget to re-register the webhooks after this

https://username:password#jenkins.example.com/github-webhook/ worked for me but the password has to be encoded for the payload to work. My github was not able to contact jenkins due to nginx authorisation but passing username and encoded password worked!

Related

Jenkins Embeddable Build Status plugin gets redirected due to SSO

I'm trying to add Jenkins build status using the Embeddable Build Status plugin onto Github README.md file. I have SSO for Github and Jenkins and I assumed it will have the login info in the browser cookies or wherever it stored that info but looks like it doesn't work that way (The same URL works and picks up SSO info and doesn't prompt me when I open it from a browser. It just doesn't like Github pulling that info)
I see a 302 redirect on the Jenkins status badge link that is getting redirected to the SSO page and is expecting JS to be enabled for it to work which isn't possible on a Github README.md page (Even if that was possible I would not see a login prompt)
The console has a warning for this redirected URL request as Cross-Origin Read Blocking (CORB) blocked cross-origin response <the-URL> with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
I also set the Jenkins config to ViewStatus for anonymous uses based on JENKINS-17798 and I'm using the unprotected link but it still needs SSO
Is there a way I can fix this?
Read this first. Cors-Filter Plugin for Jenkins.
Before you go debugging. First make sure that CORS is enabled for the Jenkins instance. You can go to configure system in jenkins and then to CORS Filter:
A very short summary.
Access-Control-Allow-Origins - List domains that may access the jenkins url.
Access-Control-Allow-Headers - Headers that can be used to make actual request
Access-Control-Expose-Headers - List of headers browser are allowed to access.
Whenever one tries to go authenticating from one domain to another it usually gets redirected in jenkins if CORS Filter is not active. So try this first.

OAuth Scope required for Creating Github pull requests with Personal Access Token

I need to create documentation giving instructions to generate a Personal Access Token that will only need to create Pull Requests on Github.
I've read the documentation describing the various OAuth scopes, but it is still not clear to me which OAuth scope(s) I need to select in order to be able create a Pull Request.
What OAuth scope(s) need to be selected for users to be able to create Pull Requests?
From https://docs.github.com/en/rest/reference/pulls#create-a-pull-request:
To open or update a pull request in a public repository, you must have write access to the head or the source branch. For organization-owned repositories, you must be a member of the organization that owns the repository to open or update a pull request.
The repos scope should be needed.
And, with the GitHub CLI gh v2.22.0 (Jan. 2023), you can search from within your local cloned GitHub repository:
See gh auth status --show-token: it will display the auth token you are using.

Github Jenkins webhook security problems

I've been using Github Jenkins webhook for a while with no problem.
I have my Jenkins running behind a Nginx proxy and the only security installed was the nginx htpasswd.
So my Github webhook looked like this:
https://user:pass#jenkins.blablabla.biz/job/script/buildWithParameters
Being user and pass the credentials from htpasswd file.
Right now I'm trying to add users to my Jenkins and I activated matrix based security to it with the option to register and login to Jenkins.
The server works perfect initially asking for nginx credentials and jenkins login second.
I created a github user in Jenkins and I generated a token for him.
Now I changed my Github webhook to use the new Jenkins github user credentials:
https://github:token#jenkins.blablabla.biz/job/script/buildWithParameters
As long as I know this should work. But it does not.
I think that the problem here is having the two security systems activated (nginx htpasswd and jenkins login). But I want both.
Do I have to use the two credentials in my webhook? How can I do that?
When I use nginx credential Github receives this response from jenkins when webhook is triggered:
Authentication required You are authenticated as: anonymous
Groups that you are in: Permission you need to have (but didn't):
hudson.model.Hudson.Read ... which is implied by:
hudson.security.Permission.GenericRead ... which is implied by:
hudson.model.Hudson.Administer
And when I use jenkins credential Github receives this response from jenkins when webhook is triggered:
401 Authorization Required 401 Authorization Required
nginx/1.11.10
You can disable basic auth in you nginx.conf for one url:
location /github-webhook/ {
auth_basic "off";
...
}
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
...
}
Finally I decided to shut down the Nginx Http based security and rely only on the jenkins security. Now my jenkins server is visible from anywhere.
I changed the format of the Github jenkins webhook in order to use the Jenkins token root plugin:
https://wiki.jenkins-ci.org/display/JENKINS/Build+Token+Root+Plugin
I didn't find a way to use both authentication methods.
The idea was to ask for an extra pass (http based) If someone tried to access from outside the office.
That's all.

Github with opswork auto deployment using webhook help needed

Again i got stuck to achive the target to trigger deployment once code is pushed to repo, I search the net but i found only old information github is updated and as per there instruction i setup all values but still not working so its look i am missing something I tried to follow the instruction but it seems old http://bytes.babbel.com/en/articles/2014-01-22-github-service-hook-for-aws-ops-works.html
The interface is confusing and i am confused because there is no connection between repo name and opswork service , so what value webhook should send to opswork service ?
Below is what i understood
Setup webhook and it will trigger and send pay load to CI or services as needed once code is pushed to repo (this part is working and send payload to some where) : But this is failing because its Payload URL should i give the opswork service url generated by git hub ?
Opswork services : This is not working ,
App
Given from AWS opswork's app : opswork ID
Stack
Given from AWS opswork's stack: opswork ID
Branch name
Here is the confussion again as per github help i need to give the SHA configured for that app in the AWS OpsWorks Console ? Why should i give SHA not the Master or the link of repo ?
GitHub api url
This is optional what should i give here ?
Aws access key
No issues
Aws secret access key
No issues
GitHub token
Optional : Created token as instructed , Both with token and without token not working.
So If you check opswork is not getting triggered , I thought when i push the changes it may work internally but not.
So its seems web hook and opswork service need to be interact at some level but unable to figure it out :(
I checked git hub help also found nothing for new interface
I checked google and stackoverflow too , but not found any thing
Kindly anyone please answer .
One alternative way would be to set up AWS CodePipeline (CodeDeploy??) to deploy to your AWS Opsworks stack.
CodePipeline is a Continuous Delivery solution from Amazon. Mid 2016 they announced that CodePipeline works with OpsWorks - see their blog announcement: AWS CodePipeline Adds Integration with AWS OpsWorks. There's some walkthroughs there too, depending on what version of OpsWorks your stack is set up for.
(It does feel a bit weird to use a deployment service to deploy to a service that has an existing deployment service... but eh, thought this might help)
The problem is with the process of Github and opswork , if there is any error then both do not report user with error.
I contacted to Github support and luckily they responded me back with error message "The security token included in the request is invalid."
Then i recopied the access key and secret key removed "GitHub api url" as blank and branch name to "master" (so it will always deploy the latest version aka head)
Also make sure you need to set permission again in opswork this is separate to IAM permission ,
Steps -> Goto your stack - Permission and edit -> add user github with permission "IAM Policies Only".
There is no interaction between web hooks and integrations . so you can make use of integration services without web hook :) .
Thanks to Stack overflow , Git-hub both :)

Is it possible to connect Github to Unfuddle to use powerful commit messages?

My team is using Github for code hosting and Unfuddle for ticketing. Is it possible to connect Github to Unfuddle so that we are able to update/close tickets from our commit messages?
As markdorison notes, there are service hooks in github enterprise to do this.
First, you need to make sure your github account has the permissions necessary to administer your repo. You need to be set up as a repository "owner."
Once you have those permissions, if you go to the overview page of your github hosted repository /ORGANIZATION/REPOSITORY, you will see a row of familiar tabs, with one new member at the far right:
Code Network Pull Requests Issues Graphs Admin
Click on admin, and you'll see a menu at the left of the admin page with a link to "Service Hooks."
Once you're on this page, scroll (far) down to find the "unfuddle" service hook.
Click on the Unfuddle service hook and a small form will open up in the upper right of your browser. Fill it out like so:
Subdomain: Your organization's unfuddle subdomain, ie ORG.unfuddle.com
Repo Id: The numeric Id of the github repository you are trying to connect to unfuddle.
Username: Your unfuddle user account name.
Password: Your unfuddle user account password.
_ HttpOnly (check if appropriate)
√ Active (set to active to use this service, uncheck to stop using it)
Then click the "update settings" submit button.
On completion, you will see a new button called "Test Hook." Click that to test the connection and make sure it is working.
Within a few minutes, you should start seeing commit history being reflected in Unfuddle's repository listings.
Pro Tip: Set up an Unfuddle account just for external services like github, and use this account instead of individual users accounts, for creating the service hookup.
This functionality is provided from the Unfuddle service hook offered in Github. You can find it in the admin section of your repository.