Trigger API should not start workflow without verification
Bug #1390141 reported by
Melissa Kam
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Solum |
Confirmed
|
High
|
Ashish |
Bug Description
A POST to an assembly's trigger uri starts the workflow regardless of the headers, body, etc. of the request. There needs to be some kind of verification because of security purposes and because GitHub automatically sends a ping to the uri whenever a webhook is created in order to test if it is a valid link. This ping triggers the assembly workflow, causing an unnecessary run.
tags: | added: solum-api |
Changed in solum: | |
importance: | Undecided → High |
Changed in solum: | |
assignee: | nobody → Ashish (ashish-jain14) |
To post a comment you must log in.
Yes, for Github we need to leverage the webhook secret to do the verification. Thanks for logging the bug.