3.2. 使用带有 GitHub Webhook 的 Pipelines as Code
如果无法创建 GitHub 应用程序,在您的仓库中使用带有 GitHub Webhook 的 Pipelines as Code。但是,使用带有 GitHub Webhook 的 Pipelines as Code 并不代表您可以访问 GitHub Check Runs API。任务的状态在拉取请求中作为注释添加,它在 Checks 选项卡中没有提供。
带有 GitHub Webhook 的 Pipelines as Code 不支持 /retest
和 /ok-to-test
等 GitOps 注释。要重启持续集成 (CI),请创建一个到存储库的新提交。例如,要在不进行任何更改的情况下创建新提交,您可以使用以下命令:
$ git --amend -a --no-edit && git push --force-with-lease <origin> <branchname>
先决条件
- 确保在集群中安装了 Pipelines as Code。
为了授权,请在 GitHub 上创建一个个人访问令牌。
要生成一个安全的、细颗粒的令牌,将其范围限制为一个特定的存储库,并授予以下权限:
表 3.1. 细粒度令牌的权限 Name 权限 管理
只读
元数据
只读
内容
只读
提交状态
读和写
Pull request
读和写
Webhook
读和写
要使用经典令牌,将范围设置为
public_repo
(公共存储库)和repo
(私有存储库)。另外,提供一个短的令牌过期周期,并在其他位置记录下令牌。注意如果要使用
tkn pac
CLI 配置 webhook,请添加admin:repo_hook
范围。
流程
配置 Webhook 并创建一个
Repository
自定义资源 (CR)。要配置 webhook 并使用
tkn pac
CLI 工具自动创建一个Repository
CR,请使用以下命令:$ tkn pac create repo
互动输出示例
? Enter the Git repository url (default: https://github.com/owner/repo): ? Please enter the namespace where the pipeline should run (default: repo-pipelines): ! Namespace repo-pipelines is not found ? Would you like me to create the namespace repo-pipelines? Yes ✓ Repository owner-repo has been created in repo-pipelines namespace ✓ Setting up GitHub Webhook for Repository https://github.com/owner/repo 👀 I have detected a controller url: https://pipelines-as-code-controller-openshift-pipelines.apps.example.com ? Do you want me to use it? Yes ? Please enter the secret to configure the webhook for payload validation (default: sJNwdmTifHTs): sJNwdmTifHTs ℹ ️You now need to create a GitHub personal access token, please checkout the docs at https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token for the required scopes ? Please enter the GitHub access token: **************************************** ✓ Webhook has been created on repository owner/repo 🔑 Webhook Secret owner-repo has been created in the repo-pipelines namespace. 🔑 Repository CR owner-repo has been updated with webhook secret in the repo-pipelines namespace ℹ Directory .tekton has been created. ✓ We have detected your repository using the programming language Go. ✓ A basic template has been created in /home/Go/src/github.com/owner/repo/.tekton/pipelinerun.yaml, feel free to customize it.
要配置 webhook 并 手动创建
Repository
CR,请执行以下步骤:在 OpenShift 集群中,提取 Pipelines as Code 控制器的公共 URL。
$ echo https://$(oc get route -n openshift-pipelines pipelines-as-code-controller -o jsonpath='{.spec.host}')
在 GitHub 存储库或机构中执行以下步骤:
- 进入 Settings -> Webhooks 并点 Add webhook。
- 将 Payload URL 设置为 Pipelines as Code 的公共 URL。
- 将内容类型选为 application/json。
添加 webhook secret 并在另一个位置记录它。在本地机器上安装
openssl
后,生成一个随机 secret。$ openssl rand -hex 20
- 点 Let me select individual events 并选择这些事件:Commit comments, Issue comments, Pull request, 和 Pushes.
- 点击 Add webhook。
在 OpenShift 集群中,使用个人访问令牌和 webhook secret 创建一个
Secret
对象。$ oc -n target-namespace create secret generic github-webhook-config \ --from-literal provider.token="<GITHUB_PERSONAL_ACCESS_TOKEN>" \ --from-literal webhook.secret="<WEBHOOK_SECRET>"
创建
Repository
CR。示例:
Repository
CRapiVersion: "pipelinesascode.tekton.dev/v1alpha1" kind: Repository metadata: name: my-repo namespace: target-namespace spec: url: "https://github.com/owner/repo" git_provider: secret: name: "github-webhook-config" key: "provider.token" # Set this if you have a different key in your secret webhook_secret: name: "github-webhook-config" key: "webhook.secret" # Set this if you have a different key for your secret
注意Pipelines as Code 假设 OpenShift
Secret
对象和Repository
CR 位于同一命名空间中。
可选: 对于现有的
Repository
CR,请添加多个 GitHub Webhook secret 或为已删除的 secret 提供替换。使用
tkn pac
CLI 工具添加 webhook。示例:使用
tkn pac
CLI 的额外 Webhook$ tkn pac webhook add -n repo-pipelines
互动输出示例
✓ Setting up GitHub Webhook for Repository https://github.com/owner/repo 👀 I have detected a controller url: https://pipelines-as-code-controller-openshift-pipelines.apps.example.com ? Do you want me to use it? Yes ? Please enter the secret to configure the webhook for payload validation (default: AeHdHTJVfAeH): AeHdHTJVfAeH ✓ Webhook has been created on repository owner/repo 🔑 Secret owner-repo has been updated with webhook secert in the repo-pipelines namespace.
-
更新现有 OpenShift
Secret
对象中的webhook.secret
密钥。
可选: 对于现有的
Repository
CR,更新个人访问令牌。使用
tkn pac
CLI 工具更新个人访问令牌。示例:使用
tkn pac
CLI 更新个人访问令牌$ tkn pac webhook update-token -n repo-pipelines
互动输出示例
? Please enter your personal access token: **************************************** 🔑 Secret owner-repo has been updated with new personal access token in the repo-pipelines namespace.
或者,通过修改
Repository
CR 来更新个人访问令牌。在
Repository
CR 中查找 secret 的名称。apiVersion: "pipelinesascode.tekton.dev/v1alpha1" kind: Repository metadata: name: my-repo namespace: target-namespace spec: # ... git_provider: secret: name: "github-webhook-config" # ...
使用
oc patch
命令更新$target_namespace
命名空间中的$NEW_TOKEN
的值。$ oc -n $target_namespace patch secret github-webhook-config -p "{\"data\": {\"provider.token\": \"$(echo -n $NEW_TOKEN|base64 -w0)\"}}"