Skip to content

GitLab 推送时触发 Jenkins Job

🏷️ Jenkins GitLab

1. 在 Jenkins 中创建流水线

具体方法参考 这篇博客

构建触发器 勾选 触发远程构建 (例如,使用脚本),值设置为随机字符串即可(本以为是用户自己的 API Token,但其实并不是)。

Use the following URL to trigger build remotely: JENKINS_URL/job/JOB_NAME/build?token=TOKEN_NAME 或者 /buildWithParameters?token=TOKEN_NAME
Optionally append &cause=Cause+Text to provide text that will be included in the recorded build cause.

使用上面的两种 URL 来触发时,需要将 job 设置为匿名可访问,否则会报 Authentication required 的错误消息。
下面是帮助文档的原文:

Enable this option if you would like to trigger new builds by accessing a special predefined URL (convenient for scripts).
One typical example for this feature would be to trigger new build from the source control system's hook script, when somebody has just committed a change into the repository, or from a script that parses your source control email notifications.

You'll need to provide an authorization token in the form of a string so that only those who know it would be able to remotely trigger this project's builds.

This is most useful when your Jenkins instance grants read access to this job to anonymous users.

When that's not the case, Jenkins will reject requests sent to the trigger URL even when the correct token is specified.

To solve this, the HTTP requests needs to be authenticated as a user with the necessary read permission for the job — but then you could probably just grant this user the permission to build this anyway.

Another option is to use the Build Token Root Plugin, that provides additional URL endpoints to trigger builds using this token, and doesn't require the otherwise necessary Overall/Read and Job/Read permissions to do so.

2. 关闭 防止跨站点请求伪造

Manage Jenkins -> Configure Global Security 中关闭 防止跨站点请求伪造,否则在通过 GitLab 请求 Jenkins 时会报 403 的错误。

html
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /job/JOB_NAME/build. Reason:
<pre>    No valid crumb was included in the request</pre></p><hr><a href="http://eclipse.org/jetty">Powered by Jetty:// 9.4.z-SNAPSHOT</a><hr/>

</body>
</html>

3. 安装 Build Authorization Token Root 插件

上面有说使用 JENKINS_URL/job/JOB_NAME/build?token=TOKEN_NAME 或者 /buildWithParameters?token=TOKEN_NAME 地址来触发时需要将 job 设置为匿名可访问,否则就会报 Authentication required 的错误。

html
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fjob%2FJOB_NAME%2Fbuild%3Ftoken%3DTOKEN_NAME'/><script>window.location.replace('/login?from=%2Fjob%2FJOB_NAME%2Fbuild%3Ftoken%3DTOKEN_NAME');</script></head><body style='background-color:white; color:white;'>

<!--
You are authenticated as: anonymous
Groups that you are in:

Permission you need to have (but didn't): hudson.model.Hudson.Read
 ... which is implied by: hudson.security.Permission.GenericRead
 ... which is implied by: hudson.model.Hudson.Administer
-->

</body></html>

Manage Jenkins -> Manage Plugins 中安装 Build Authorization Token Root 插件。

安装该插件后,就可以通过 buildByToken/build?job=NAME&token=SECRET 地址来触发 job 了,此时不需要将 job 设置为匿名可访问也可以正常触发。

4. 在 GitLab 中创建 Web 钩子

在 GitLab 项目的 设置 -> 导入所有仓库 页面新增一个 Web 钩子。

链接 (URL) 设置为 JENKINS_URL/buildByToken/build?job=JOB_NAME&token=TOKEN_NAME
例:http://192.168.0.1:8080/buildByToken/build?job=BuildGitLabProject&token=113f96e1ba3db8bb7f95df1aed5824fb8e

安全令牌 留空即可。

触发器 中勾选 推送事件,紧跟的文本框中可以设置触发的分支(支持模糊匹配)。

SSL 证书验证 根据自己需要设定。

5. 保存并测试 Web 钩子

点击 增加 Web 钩子 保存,然后在 Test 下拉框中选择 Push events 来手动触发测试。