Page MenuHomePhabricator

Create webhook to deploy new content
Closed, ResolvedPublic3 Estimated Story Points

Description

Create webhook in github (https://github.com/wmde/fundraising-frontend-content) that invokes polling in Jenkins (T167096) and hence runs the deployment job to the respective instance(s) when a branch is changed.

AC:

  • Jenkins has necessary permission (keys) to deploy to fundraising_frontend_test, fundraising_frontend_production
  • webhook endpoint uses key/token AC removed as event merely causes polling which can do little harm even when from fake actor
  • content gets deployed to fundraising_frontend_test (test branch), fundraising_frontend_production (production branch) respectively
  • email notification is sent - Receiver list will be looked at during "Editing content" meeting on July 04

Event Timeline

gabriel-wmde changed the point value for this task from 5 to 8.
Pablo-WMDE updated the task description. (Show Details)
Pablo-WMDE updated the task description. (Show Details)Jun 6 2017, 10:21 AM
gabriel-wmde changed the point value for this task from 8 to 3.
Pablo-WMDE moved this task from Todo to Doing on the WMDE-Fundraising-Sprint-6 board.

Github webhook now uses SSL Verification against our Endpoint

@gabriel-wmde @kai.nissen Two questions:

  • there is the AC "webhook endpoint uses key/token", but given how the plugin works I think this can be skipped. The ping will only cause a polling (git ls-remote) - if no change is detected this is it. Do you share the opinion that this is not a sufficient attack vector to warrant creation of another secret that has to be managed?
  • looks like we can start to get serious about this - what would be the correct receiver list for our deployment emails (incl non-tech people)?
  • For the time being, I'd be ok with not using a token. Would it be possible to ignore requests from non-github-IPs?
  • So far, we don't have a mailing list for that. Let's find that who wants to be on it at the introduction for the FR team.

@gabriel-wmde

  • In my eyes, using IPs for auth purposes in this day and age is a Bad Idea™. If you do think there is an attack vector we should address, then let's do it by actual security, using a secret - I just don't think it's necessary
  • ok. Is this story done despite the incomplete receiver list?
Pablo-WMDE closed this task as Resolved.Jun 26 2017, 10:55 AM
Pablo-WMDE updated the task description. (Show Details)
Pablo-WMDE moved this task from Doing to Done on the WMDE-Fundraising-Sprint-6 board.