Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48610

Shared secret is not updated in GitHub for existing web hooks

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • github-plugin
    • None
    • Jenkins 2.73.3
      GitHub Plugin 1.26.0

      Steps to reproduce

      1. Configure GitHub plugin properly, such that web hooks trigger builds on push
      2. Change the shared secret in Jenkins
      3. Re-register all hooks
      4. Trigger web hook in GitHub
      5. Result: Web hook fails with HTTP status code 400, response
        <html>
        <head>
        <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
        <title>Error 400 Provided signature [ebae18a50080a53a1e20932ab1217d82c291ed39] did not match to calculated</title>
        </head>
        <body><h2>HTTP ERROR 400</h2>
        <p>Problem accessing /github-webhook/. Reason:
        <pre>    Provided signature [ebae18a50080a53a1e20932ab1217d82c291ed39] did not match to calculated</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/>
        
        </body>
        </html>

      Steps to fix manually

      1. Delete broken web hook
      2. Re-register web hooks
      3. Result: Web hook works again

      Best-Effort Analysis

      After a bit of digging, it seems to me that the GitHub plugin does not update already existing hooks, see https://github.com/jenkinsci/github-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github/webhook/WebhookManager.java#L195:

      if (hooks.size() == 1 && isEqualCollection(alreadyRegistered, events)) {
          LOGGER.debug("Hook already registered for events {}", events);
          return null;
      }
      

      According to the commit message, this was intentional. If desired, I am happy to provide a pull request to fix this issue. I see the following options:

      • Re-register all hooks without checking for already existing hooks. One-liner, but not efficient for many hooks.
      • Update the value of the shared secret for already existing hooks. More efficient, but requires a upgrade of the GitHub API. I'm not sure whether the secret is the only thing that requires an update.

          [JENKINS-48610] Shared secret is not updated in GitHub for existing web hooks

          Easy solution option implemented in https://github.com/jenkinsci/github-plugin/pull/185

          Matthias Silbernagl added a comment - Easy solution option implemented in https://github.com/jenkinsci/github-plugin/pull/185

            lanwen Kirill Merkushev
            silbernm Matthias Silbernagl
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: