Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70548

Allow GitHub Webhooks to be created by users with custom roles

    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Minor Minor
    • github-plugin
    • None

      Hello,

      I would like to stop relying on GitHub repository Admin users to create GitHub Webhooks, but rather use a user with a custom role (available in GitHub Enterprise) that allows them to manage the repository and the webhooks.

      More specifically, the setup I was looking for is:

      1. Have a custom GitHub role `Jenkins` just like the `Contractor` role defined in GitHub documentation
      2. For a GitHub user `jenkins-gh-user`, create a Personal Access Token with `repo` and `admin:repo_hook` scopes to be used by Jenkins.
      3. Give the user `jenkins-gh-user` access to a repository with role `Jenkins`
      4. Follow instructions to allow Jenkins to manage GitHub Webhooks, and use the Personal Access Token created in step 2.
      5. Configure a Jenkins job such that `GitHub hook trigger for GITScm polling`
      6. Try to re-create the webhooks using `Manage Jenkins > Configure System > GitHub > Re-register hooks for all jobs`.

      The expected result would be that the Webhook is created in the GitHub repository, but turns out nothing is created.

      Upon turning on DEBUG logs for `org.jenkinsci.plugins.github.webhook.WebhookManager` a line like `None of the github repos configured have admin access for` is logged which comes from WebhookManager.java. It seems that the repository user must have the Admin role, not a custom role.

      It seems like the code does not allow the above setup to work, but I still wonder if there's something I might have missed. Could someone provide some help with this setup, or clarify if it even makes sense?

      Thank you!

          [JENKINS-70548] Allow GitHub Webhooks to be created by users with custom roles

          Nuno added a comment -

          Additionally, by removing the "admin check" from the WebhookManager.java I am able to achive the setup above. If that's something that makes sense implement I'd be happy to provide a PR.

          Nuno added a comment - Additionally, by removing the "admin check" from the WebhookManager.java I am able to achive the setup above. If that's something that makes sense implement I'd be happy to provide a PR.

          Jesse added a comment -

          We just ran into this issue with a custom role based on write with mange_webhooks added.

           

           

          resource "github_organization_custom_role" "jenkins" {
            name        = "jenkins"
            description = "Jenkins custom role"
            base_role   = "write"
            permissions = [
              "manage_webhooks",
            ]
          } 
          

           

           

          Jesse added a comment - We just ran into this issue with a custom role based on write with mange_webhooks added.     resource "github_organization_custom_role" "jenkins" {   name        = "jenkins"   description = "Jenkins custom role"   base_role   = "write"   permissions = [     "manage_webhooks" ,   ] }     

          IODES added a comment -

          IODES added a comment - https://github.com/jenkinsci/github-plugin/pull/375

            lanwen Kirill Merkushev
            nuno_sc Nuno
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: