I've setup a GitHub webhook according to the documentation at
When a push my commits to GitHub, a POST request is sent to the
webhook URL by GitHub and and HTTP 200 response received according to
GitHub logs. But nothing happens on Copr's side.
However, if I trigger the build manually using the "Rebuild" button,
everything works fine.
I just got a feedback about upcoming rewrite of our fedmsg.
MKluson come in person and stated that he need a message about successful build and he need:
I am posting here just as note for whoever will work on this in near future.
I added praiskup to Copr pagure group.
I contacted asamlik about his intentions with Copr and based on that I removed him from pagure group, fedora infra
playbooks, and FAS group.
I wrote to all members of FAS group (gitcopr) and based on their intentions I removed so far: mizdebski, msrb.
I may remove other people as I get the reply from them in upcoming days.
there was a security update of copr-frontend which fixes problem with
leaking of webhook secrets which are used to generate
Basically, it was possible to get webhook_secret of another project simply
by forking it.
You could then launch builds for that project :/.
Also, the Integration page (formerly 'Webhooks') was accessible for foreign
under a direct URL if you knew what that URL should look like (it wasn't
that difficult to guess).
This is the page where pagure api token for flagging pull requests and
commits is being inserted.
If you have already setup this integration with an api token generated at a
I recommend to revoke the currently used api token and generate a new one.
For the webhook leak, we have added command copr-cli new-webhook-secret
So I recommend regenerating your webhook secrets with this command and
Github/Gitlab/Bitbucket webhooks on your sourceforge.
The new copr-cli and python-copr package (both are needed) with the new
command are available here:
You should also be able to install them from updates-testing shortly.
In the attachment, you can find list of people, whose project has been
forked, which means
that somebody else shares their webhook secret.
Sorry for these problems. We are going to carefully audit the whole
now and make sure the code is clean of any further issues of this kind.
We have lots of old branches. Here is the list:
If you still need some of them, then please raise your voice. Otherwise I will delete them next week.