Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Jenkins and GitHub webhook: HTTP 403

I have a GitHub repository which I would like to have notify Jenkins of new commits via a post-receive hook. I've installed the GitHub plugin into Jenkins and have allowed for Jenkins to manage it's own hook URLs. The project has the correct git repository URL and is instructed to "Build when a change is pushed to GitHub". When I have GitHub send a test payload I find this in the nginx webserver that front's Jenkins:

207.97.227.233 - - [15/Sep/2011:07:36:51 +0000] "POST /github-webhook/ HTTP/1.1" 403 561 "-" "-"

I was running SSL so I disabled it to no effect. Do I need to provide special permissions to an anonymous user in the permissions matrix?

Please forgive the lack of configuration files: I'm happy to share those that might exist but I don't know what might be useful to share.

like image 514
troutwine Avatar asked Sep 15 '11 07:09

troutwine


People also ask

What is my Jenkins webhook URL?

Manual Mode. icon (under Manage Jenkins > Configure System > GitHub) to see the URL in Jenkins that receives the post-commit POSTs — but in general the URL is of the form $JENKINS_BASE_URL/github-webhook/ — for example: https://ci.example.com/jenkins/github-webhook/ .


3 Answers

As I don't allow anonymous access, it turns out I needed to create a specific user for GitHub pushes and to grant it Overall read, Job create and Job read. It was also necessary to bundle the authentication into the webhook URL, like so:

https://foo:[email protected]/github-webhook/
like image 185
troutwine Avatar answered Oct 20 '22 18:10

troutwine


From Github's instructions ("Configuring global authentication", the first section),

1. Create a user in Jenkins which has, at a minimum, Job/Build permissions

2. Log in as that user (this is required even if you are a Jenkins admin user), then click on the user's name in the top right corner of the page

3. Click 'Configure,' then 'Show API Token...', and note/copy the User ID and API Token.

4. In GitLab, when you create webhooks to trigger Jenkins jobs, use this format for the URL and do not enter anything for 'Secret Token': http://USERID:APITOKEN@JENKINS_URL/project/YOUR_JOB

In my case I used http://USERID:APITOKEN@myIPaddress:808/ and no project/YOUR_JOB

like image 24
Bret Hess Avatar answered Oct 20 '22 19:10

Bret Hess


As previously mentioned Jenkins does not allow anonymous access (you don't want people to trigger builds for you!). Adding a username and password in the clear is not the best solution.

1) If your Jenkins is behind a VPN, you need to make sure that your Jenkins webhooks URL are exposed

2) In the GitHub plugin configuration add the correct accessible Jenkins webhook URL(https://jenkins.example.com/github-webhook/) in Override Hook URL

3) Add a secret in the Shared secret section (preferably a long random string). This would be a token sent from Jenkins to GitHub and vice versa for authentication. This should be different from the GitHub Server Credentials!

4) Make sure the user has owner access to add webhooks to your GitHub repos

5) Don't forget to re-register the webhooks after this

like image 38
Joe Haddad Avatar answered Oct 20 '22 17:10

Joe Haddad