Scenarios in which this could be useful:
- Preventing inadvertent violations of named-user licensing of build tools.
- Sending email
- Authorize Project plugin setting “Run as the user who triggered the build.” However, implementing this might open a security vulnerability, so I think it is better to exclude this kind of integration until really needed.
The answer on Stack Overflow mentions the BITBUCKET_PAYLOAD environment variable. The Bitbucket plugin adds that in BitbucketPayload.java . Does the Bitbucket Branch Source plugin have anything similar yet?
The X-Hub-Signature header field should not be included in the value of the environment variable. Including it might let someone replay the webhook request and thereby impersonate Bitbucket Server.
Is there a privacy issue if the payload includes the email address and other user information, and this becomes part of a build log? Perhaps it would be safer to make the webhook payload an opt-in feature, enabled with a checkbox in the branch source. If unchecked, Jenkins would not save the payload in the Run and would not add the environment variable.
I'd like the build scripts to see the actor parameter of the webhook event payload, i.e. who is the user whose actions triggered the build. This is not always the same as the author or committer that can be queried from Git.