Skip to content
This repository has been archived by the owner on Apr 20, 2023. It is now read-only.

How to prevent the need for token for public projects (jenkins) #70

Open
halkeye opened this issue Jul 27, 2016 · 11 comments
Open

How to prevent the need for token for public projects (jenkins) #70

halkeye opened this issue Jul 27, 2016 · 11 comments

Comments

@halkeye
Copy link

halkeye commented Jul 27, 2016

Reading over https://github.com/codecov/codecov-python/blob/master/codecov/__init__.py it looks like to me the only reason you need to provide --token= for jenkins and not travis, is because job is set for travis?

Why isn't job set to something (BUILD_NUMBER, or timestamp) for jenkins?

That way token wouldn't be required for public projects.

@stevepeak
Copy link
Contributor

@halkeye it is more than just the job number. We tap TravisCI API to validate build params to ensure the upload is authentic.

If the CI provider has an API endpoint we can not require the token, but until then we must include the token for authentication.

@halkeye
Copy link
Author

halkeye commented Jul 27, 2016

Jenkins has a built in api that you can get access from a run

What data do you need?

On Jul 27, 2016 5:47 AM, "Steve Peak" [email protected] wrote:

@halkeye https://github.com/halkeye it is more than just the job
number. We tap TravisCI API to validate build params to ensure the upload
is authentic.

If the CI provider has an API endpoint we can not require the token, but
until then we must include the token for authentication.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#70 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAGuB_ZRM1dcUi5OHgfknoZXcX8L9a9Pks5qZ1NvgaJpZM4JV3Wx
.

@stevepeak
Copy link
Contributor

Is there documenation this API endpoint? That would be the most help 👍

@halkeye
Copy link
Author

halkeye commented Jul 27, 2016

Okay I'll see what I can dig up the next time I'm at a computer

I know you can access it through the api link on the bottom of every page

Would be something like /jenkins/job/$build_name/$build_id/api

On Jul 27, 2016 6:23 AM, "Steve Peak" [email protected] wrote:

Is there documenation this API endpoint? That would be the most help 👍


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#70 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAGuBxWirGk4TOQo1pO6t-j0JhxXsNaSks5qZ1vOgaJpZM4JV3Wx
.

@halkeye
Copy link
Author

halkeye commented Jul 27, 2016

https://wiki.jenkins-ci.org/display/JENKINS/Remote+access+API

Has some info too

I don't think it's super documented though

It's also not hard to expose more info through a custom plugin if needed

On Jul 27, 2016 6:28 AM, "Gavin" [email protected] wrote:

Okay I'll see what I can dig up the next time I'm at a computer

I know you can access it through the api link on the bottom of every page

Would be something like /jenkins/job/$build_name/$build_id/api

On Jul 27, 2016 6:23 AM, "Steve Peak" [email protected] wrote:

Is there documenation this API endpoint? That would be the most help 👍


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#70 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAGuBxWirGk4TOQo1pO6t-j0JhxXsNaSks5qZ1vOgaJpZM4JV3Wx
.

@stevepeak
Copy link
Contributor

I see posting builds, but not an endpoint for GET builds. I would guess it's simply at

curl -X GET JENKINS_URL/job/JOB_NAME/build/BUILD_NUM

There likely is an authorization token required to access this data.

Is there documentation on GET builds?

@halkeye
Copy link
Author

halkeye commented Jul 27, 2016

I'm not super familiar with the rest apis, but I can ping the mailing list
if need be

curl -X GET $BUILD_URL would prevent you needing to build the url yourself

HUDSON_COOKIE

HUDSON_SERVER_COOKIE

JENKINS_SERVER_COOKIE

I'm not sure how (yet) but those can be used during the request for
authentication on hitting the urls

https://jenkins.ci.cloudbees.com/job/plugins/job/sauce-ondemand-plugin/338/api/json?pretty=true

^^ has a bunch of info.

On Wed, Jul 27, 2016 at 10:43 AM, Steve Peak [email protected]
wrote:

I see posting builds, but not an endpoint for GET builds. I would guess
it's simply at

curl -X GET JENKINS_URL/job/JOB_NAME/build/BUILD_NUM

There likely is an authorization token required to access this data.

Is there documentation on GET builds?


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#70 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAGuB6RAERpCMXizzcBRJxX7gyVDXzmGks5qZ5jKgaJpZM4JV3Wx
.

@stevepeak
Copy link
Contributor

Thanks for the details here. So the environment variables you stated would be used to authorize access to the BUILD_URL endpoint? ❤️ Love it!

How would I use the cookie if I'm making this api request server side?

@halkeye
Copy link
Author

halkeye commented Jul 27, 2016

Oh I'm totally wrong, those cookies are just random strings for identification purposes.

I'm trying to figure out ways to run codecov tool in public without being able to provide token in a secret way.

If that means writing a helper plugin to expose more data I totally will.

@stevepeak
Copy link
Contributor

That would be great! Here are some ideas of the information we would like to verify in order to accept uploads:

  1. repository slug being tested owner/repo
  2. if the Jenkins build is still running
  3. commit sha being tested
  4. branch being tested

@stevepeak
Copy link
Contributor

Here is an example:

{
  "finished": false,
  "build_num": 145,
  "slug": "owner/repo",
  "commit": {
    "sha": "815be8d6e1af1c3449407cc6d085b550f14b907d",
    "branch": "master",
    "is_merge_commit": false
  }
}

@thomasrockhu thomasrockhu self-assigned this Oct 16, 2020
@thomasrockhu thomasrockhu removed their assignment Jul 21, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants