-
Improvement
-
Resolution: Fixed
-
Major
For security reasons, it's quite important for this plugin to support an option to verify a "secret" token. This option was added some time ago, you basically configure a "secret" in the GitHub webhook end, so you know the requests you are receiving is really from GitHub. The GitHub Pull Request Builder plugin (ghprb) already supports it. It would be great if this plugin add support too.
- is related to
-
-
- Open
-
- relates to
-
-
- Resolved
-
- links to
[JENKINS-33974] Add option to verify "secret" token
CloudBees plugin uses separate connector, so there is no relation. Please report branchsource/orgfolder issues to CloudBees.
For secret verification some repository should created trigger and then send ping event. When global configuration configured there is no any repositories that could be used for testing. You can call re-register all hooks and then check mange jenkins page that will have report in case of failed hooks creation. But maybe it doesn't check with ping event that hook succesfully configured...
It looks like this is the root cause of
JENKINS-36121so I think it's pretty urgent. It makes the Github Organization Folder plugin spam the Github API easily reaching the 5000 calls per hour limit.