To subscribe to updates watch my GitHub repository. New posts get added as pull requests.

Jenkins: Build on push to Git

30 Jan 2020

In this post I discuss build on push to GitHub and build on push to Git. This was originally posted to reddit.

Build on push to GitHub

For GitHub webhooks,

Prerequisites you need

  • A service account in GitHub with a personal access token that has OAuth scopes repo and admin:repo_hook.
  • The service account must be an admin on the intended repository for the multibranch pipeline. This is necessary so Jenkins can automatically configure webhooks.
  • Inbound connectivity or delivering payloads from GitHub to your internal Jenkins. You can achieve this three ways that I know of off hand.
  1. A proxy which receives webhook payloads and passes them on to Jenkins without exposing Jenkins to GitHub.
  2. Allow GitHub to directly communicate with your Jenkins instance. If you do this, GitHub publishes their network addresses so you should limit access only to GitHub webhook IP addresses.
  3. Using a webhook relay service like https://webhookrelay.com/

Process

  1. Configure a String credential and note the credential you create. Set the scope to system so that it is not widely available to users.
  2. Configure the GitHub plugin in Jenkins to enable manage Hooks (link to script console script). Set credential ID to your token credential.
  3. Use GitHub branch source configuration (link to Job DSL script) on multibranch pipelines.

Additional notes:

  • If you’re configuring the multibranch job manually, then it will register webhooks when you save the job.
  • If you’re configuring it with Job DSL scripts, then you’ll need a post-job system groovy script to run after Job DSL creates the jobs.

Build on push to Git

I once managed the Jenkins infrastructure for the GIMP development team. This system did not use typical webhooks but instead used a generic push to Git from GitLab to trigger builds.

If you configure your jobs with the Git plugin, then you can utilize the Git plugin feature notifyCommit where you make a GET request to /git/notifyCommit?url=<url encoded git repository>. This will trigger all multibranch pipelines which use the encoded git clone URL to perform a multibranch Scan.

Let’s say you configure a multibranch pipeline job to clone source code from https://gitlab.gnome.org/GNOME/gimp. Then you would configure a hook in GitLab to call the following URL.

https://jenkins.example.com/git/notifyCommit?url=https%3A%2F%2Fgitlab.gnome.org%2FGNOME%2Fgimp

It is an okay practice to allow webhooks and periodic scans to ensure that you don’t miss any calls for scanning.

You can also configure post-receive hooks on classic Git repositories for push events.


This article was last updated Jan 30, 2020.

Posted in Engineering with tags: Git, Groovy, Jenkins, Job DSL Plugin, Programming, Tips


Comments: