How to reference a secret in a GitHub webhook payload URL?
The link we followed: https://www.cloudbooklet.com/jenkins-how-to-build-a-specific-branch-on-github/
We are using Generic Webhooks Trigger Plugin to trigger automatic builds when a commit is pushed to the repository, everything is working fine when the token value is passed directly to the GitHub webhook payload URL
https://JENKINS_URL/generic-webhook-trigger/invoke?token=YOUR_TOKEN
But we wanted to reference the token value through the secret shown in the image below
I did try to reference the secret value in the below way
http://JENKINS_URL/generic-webhook-trigger/invoke?token=${{ Secret }}
But it's not picking up that secret value instead it I think sees ${{Secret }} as the token value.
The response is the below one for the above way of passing/referencing secret/token value.
{"jobs":null,"message":"Did not find any jobs with GenericTrigger configured! If you are using a token, you need to pass it like ...trigger/invoke?token=TOKENHERE. If you are not using a token, you need to authenticate like http://user:[email protected]/generic-webhook... "}
So what would be the right way of referencing the secret of the token value for this particular use-case?
What you are seeing in the
Secretarea is not a secret to use inside Github itself, but to be used by the receiver of the hook (Jenkins in your case). This is to validate that the request indeed comes from the Github hook, and not from someone else just using this as an entrypoint to Jenkins.On the Jenkins side, the received request will contain a
X-Hub-Signature-256header, containing the hash of the secret.Source : https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries#validating-webhook-deliveries
Regarding the removal of hardcoded secrets :
There is no syntax in the UI to do this, the only reasonable way to do this I have seen around is to use proxies/gateways.