Custom event > releases payload does not contain secret

[AuspeXeu]

• Gitea version (or commit ref): 1.5.2
• Git version: 2.9.3
• Operating system: CentOS
• Database:
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Not relevant

Description

When setting up a gitea webhook, one can provide a secret that is supposed to be included in the delivered POST application/json payload. This works fine for "Push Events", however when choosing "Custom Events..." and selecting "Releases", this secret is not included in the payload anymore.

[AuspeXeu]

I just tested the latest version 1.6.0-rc2 and it seems like this issue is still not resolved. Now, if I trigger a test delivery for a custom event of the type release, no request is queued whatsoever.

Edit: I tried this on the demo instance with the following settings.

As you can see here, no requests are received https://requestbin.net/r/1oa26911?inspect

[HoffmannP]

Could you explain "trigger a test delivery"? I tried to retrace your steps but couldn't find the same error

[AuspeXeu]

I simply press the "Test Delivery" button :)

[HoffmannP]

Okey, but it looks to me as if the TestDelivery is always executing a push event. If your webhook only acts on releases it will not be triggered.

gitea/routers/repo/webhook.go

Line 677 in 4c1f1f9

if err := models.PrepareWebhook(w, ctx.Repo.Repository, models.HookEventPush, p); err != nil {

Perhaps the button should be renamed to "Test push event"

[AuspeXeu]

My intuition was that the button tests whatever hook is specified at the top?!
Anyways, I had to put a new request bin, here the link to inspect it https://requestbin.net/r/wy4b3rwy?inspect

I pushed a tag (release) to the repository under https://try.gitea.io/test1337/Hooktest and it did not trigger a request to the request bin. So something seems to be broken, no?

Edit: Okay, I just figure out what the problem is. I am actually not sure whether it's a problem or by design. But there is definitely some confusion. If I create a tag and push it, the tag appears under releases in the repository, however the custom event hook is not triggered. BUT, if I create a release via the webinterface, the hook is triggered.

So here is some inconstancy. Either a normal tag should not be a release or it is considered a release and it should trigger the hook.

[lafriks]

@AuspeXeu tag without release in release list page is displayed differently

[lafriks]

release will be triggered when you create release (either by UI or API) either on new tag or existing. Pushing tag from git command will not create release, this is by design so

[AuspeXeu]

Okay, I guess it's all working correctly then in that case.

[HoffmannP]

Closeable?

[AuspeXeu]

I guess so :) - thanks for your efforts!
Edit: Actually ... I think the test delivery is still a bug, no? It should test whatever you set up instead of a push event?

[lafriks]

Test delivery will always issue push event

[AuspeXeu]

Why? :D

[lafriks]

Because it is just for testing if target can be reached not to test actual functionaliity

[AuspeXeu]

Well, but exactly this is not happening. If you set the hook to custom event as I showed above, and then press "test delivery" nothing happens. It claims that a fake event has been generated but no request ever reaches the specified endpoint.

Edit: these are the settings

And no request reaches https://requestbin.fullcontact.com/1h3kkfs1?inspect

[lafriks]

Ok, now I understand the problem. It is tested if event type is enabled before sending. This would require option to choose what kind of event to send then and implement each event type webhook content generation. I don't think that is worth time needed to develop this the gains.

[AuspeXeu]

Well, if we could at least have a delivery test that would be great :) One option could be, as you said, to always send a push event type. That way one could at least verify that the endpoint is reachable, no?

[lafriks]

If you enable push events and then try test delivery than it will work and do request. Later you can disable it again

[AuspeXeu]

Basically my point is, if someone is new to gitea and sets up a custom event webhook, they will wonder why the test delivery does not work unless the read this particular issue with our comments.

[lafriks]

We could probably add warning if push event is not enabled

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[6543]

Whats the state of this issue?

[techknowlogick]

Secret inside the payload has been deprecated, and the hmac header of webhook should now be used. Closing this issue.