jenkinsci
[JENKINS-48610] Shared secret is not updated in GitHub for existing web hooks
Steps to reproduce
- Configure GitHub plugin properly, such that web hooks trigger builds on push
- Change the shared secret in Jenkins
- Re-register all hooks
- Trigger web hook in GitHub
- Result: Web hook fails with HTTP status code 400, response
"Content-Type" content="text/html;charset=utf-8"/>
Error 400 Provided signature [ebae18a50080a53a1e20932ab1217d82c291ed39] did not match to calculated HTTP ERROR 400
Problem accessing /github-webhook/. Reason:
Provided signature [ebae18a50080a53a1e20932ab1217d82c291ed39] did not match to calculated
"http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT
Steps to fix manually
- Delete broken web hook
- Re-register web hooks
- Result: Web hook works again
Best-Effort Analysis
After a bit of digging, it seems to me that the GitHub plugin does not update already existing hooks, see https://github.com/jenkinsci/github-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github/webhook/WebhookManager.java#L195:
if (hooks.size() == 1 && isEqualCollection(alreadyRegistered, events)) { LOGGER.debug("Hook already registered for events {}", events); return null; }
According to the commit message, this was intentional. If desired, I am happy to provide a pull request to fix this issue. I see the following options:
- Re-register all hooks without checking for already existing hooks. One-liner, but not efficient for many hooks.
- Update the value of the shared secret for already existing hooks. More efficient, but requires a upgrade of the GitHub API. I'm not sure whether the secret is the only thing that requires an update.
Originally reported by silbernm, imported from: Shared secret is not updated in GitHub for existing web hooks
- assignee:
lanwen
- status: Open
- priority: Major
- component(s): github-plugin
- resolution: Unresolved
- votes: 2
- watchers: 4
- imported: 2025-12-08
Raw content of original issue
Steps to reproduce
- Configure GitHub plugin properly, such that web hooks trigger builds on push
- Change the shared secret in Jenkins
- Re-register all hooks
- Trigger web hook in GitHub
- Result: Web hook fails with HTTP status code 400, response
<html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 400 Provided signature [ebae18a50080a53a1e20932ab1217d82c291ed39] did not match to calculated</title> </head> <body><h2>HTTP ERROR 400</h2> <p>Problem accessing /github-webhook/. Reason: <pre> Provided signature [ebae18a50080a53a1e20932ab1217d82c291ed39] did not match to calculated</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/> </body> </html>Steps to fix manually
- Delete broken web hook
- Re-register web hooks
- Result: Web hook works again
Best-Effort Analysis
After a bit of digging, it seems to me that the GitHub plugin does not update already existing hooks, see https://github.com/jenkinsci/github-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github/webhook/WebhookManager.java#L195:
if (hooks.size() == 1 && isEqualCollection(alreadyRegistered, events)) { LOGGER.debug("Hook already registered for events {}", events); return null; }According to the commit message, this was intentional. If desired, I am happy to provide a pull request to fix this issue. I see the following options:
- Re-register all hooks without checking for already existing hooks. One-liner, but not efficient for many hooks.
- Update the value of the shared secret for already existing hooks. More efficient, but requires a upgrade of the GitHub API. I'm not sure whether the secret is the only thing that requires an update.
environment
Jenkins 2.73.3<br/>
GitHub Plugin 1.26.0
silbernm:
- Original comment link
Raw content of original comment:
Easy solution option implemented in https://github.com/jenkinsci/github-plugin/pull/185
Easy solution option implemented in https://github.com/jenkinsci/github-plugin/pull/185
kutzi:
- Original comment link
Raw content of original comment:
Also have been bitten by this now: I added a shared secret and tried to fix all webhooks by running 'Re-register all hooks' Unfortunately, it doesn't seem to update existing hooks. I had to delete the hooks manually one-by-one
Also have been bitten by this now:
I added a shared secret and tried to fix all webhooks by running 'Re-register all hooks'
Unfortunately, it doesn't seem to update existing hooks. I had to delete the hooks manually one-by-one
kutzi:
- Original comment link
Raw content of original comment:
Reading about the technical difficulties to implement it correctly (mentioned in https://github.com/jenkinsci/github-plugin/pull/185), I think the best solution would be to add a checkbox to force-update all webhooks
Reading about the technical difficulties to implement it correctly (mentioned in https://github.com/jenkinsci/github-plugin/pull/185),
I think the best solution would be to add a checkbox to force-update all webhooks
kutzi:
- Original comment link
Raw content of original comment:
On a related note: I think the text of the button is misleading in this context. It says 'Re-register hooks for all jobs' which I would interpret as: delete and create them again But apparently it doesn't touch any hooks, which are already registered
On a related note:
I think the text of the button is misleading in this context. It says 'Re-register hooks for all jobs'
which I would interpret as: delete and create them again
But apparently it doesn't touch any hooks, which are already registered