-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Jenkins 2.73.3
GitHub Plugin 1.26.0
Steps to reproduce
- Configure GitHub plugin properly, such that web hooks trigger builds on push
- Change the shared secret in Jenkins
- Re-register all hooks
- Trigger web hook in GitHub
- Result: Web hook fails with HTTP status code 400, response
<html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 400 Provided signature [ebae18a50080a53a1e20932ab1217d82c291ed39] did not match to calculated</title> </head> <body><h2>HTTP ERROR 400</h2> <p>Problem accessing /github-webhook/. Reason: <pre> Provided signature [ebae18a50080a53a1e20932ab1217d82c291ed39] did not match to calculated</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/> </body> </html>
Steps to fix manually
- Delete broken web hook
- Re-register web hooks
- Result: Web hook works again
Best-Effort Analysis
After a bit of digging, it seems to me that the GitHub plugin does not update already existing hooks, see https://github.com/jenkinsci/github-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github/webhook/WebhookManager.java#L195:
if (hooks.size() == 1 && isEqualCollection(alreadyRegistered, events)) { LOGGER.debug("Hook already registered for events {}", events); return null; }
According to the commit message, this was intentional. If desired, I am happy to provide a pull request to fix this issue. I see the following options:
- Re-register all hooks without checking for already existing hooks. One-liner, but not efficient for many hooks.
- Update the value of the shared secret for already existing hooks. More efficient, but requires a upgrade of the GitHub API. I'm not sure whether the secret is the only thing that requires an update.
Easy solution option implemented in https://github.com/jenkinsci/github-plugin/pull/185