зеркало из
1
0
Форкнуть 0
Перейти к файлу
Sebastian Bauersfeld 81d2d45f89
Merge pull request #15 from johnlugton/small-improvements
Small improvements
2021-03-01 19:57:51 +01:00
.gitignore Ensure latest version of Jinja2 2019-04-15 10:05:07 +01:00
CODE_OF_CONDUCT.md Basic functional example of Webhook integration 2019-02-01 15:51:11 +01:00
COPYRIGHT Basic functional example of Webhook integration 2019-02-01 15:51:11 +01:00
Dockerfile First attempt at creating a GitHub action 2021-02-08 14:49:55 +01:00
LICENSE Basic functional example of Webhook integration 2019-02-01 15:51:11 +01:00
Pipfile First attempt at creating a GitHub action 2021-02-08 14:49:55 +01:00
README.md Update documentation. 2021-02-26 17:12:45 +01:00
action.yml Make the github_token action parameter optional and provide sensible default. 2021-02-24 15:45:23 +01:00
cli.py Print the correct program name in the cli help text. 2021-02-24 15:43:35 +01:00
entrypoint.sh First attempt at creating a GitHub action 2021-02-08 14:49:55 +01:00
gh2jira Quote arguments 2021-02-24 15:42:47 +01:00
ghlib.py Address review comments: Introduce constant for results per page. 2021-02-10 09:53:15 +01:00
jiralib.py Update jiralib.py 2021-02-17 08:41:50 -08:00
server.py Minor cleanup. 2021-02-08 14:20:12 +01:00
util.py Allow the server to be run via the cli. 2021-02-01 22:17:35 +01:00

README.md

gh2jira - Synchronize GitHub Code Scanning alerts and JIRA issues

GitHub's REST API and webhooks give customers the option of exporting alerts to any issue tracker, by allowing users to fetch the data via API endpoints and / or by receiving webhook POST requests to a hosted server.

This repository

This repository gives a quick illustrative example of how to integrate GitHub Code Scanning with a third-party issue tracker - in this case JIRA. The code is intended as a proof-of-concept, showing the basic operations necessary to handle incoming requests from GitHub. It is not intended for production use. Please feel free to use this as a starting point for your own integration.

Using the GitHub Action

The easiest way to use this tool is via its GitHub Action, which you can add to your workflows. Here is what you need before you can start:

  • A GitHub repository with Code Scanning enabled and a few alerts. Follow this guide to set up Code Scanning.
  • The URL of your JIRA Server instance.
  • A JIRA project to store your issues. You will need to provide its project key to the action.
  • A JIRA Server account (username + password) with the following permissions for the abovementioned project:
    • Browse Projects
    • Close Issues
    • Create Issues
    • Delete Issues
    • Edit Issues
    • Transition Issues
  • Depending on where you run your workflow, the JIRA Server instance must be accessible from either the GitHub.com IP addresses or the address of your GitHub Enterprise Server instance.

Make sure you safely store all credentials as GitHub Secrets. For accessing the Code Scanning alert data, the action uses the GITHUB_TOKEN which is automatically created for you, so you don't need to provide it. Finally, set up the following workflow in your repository, e.g. by adding the file .github/workflows/jira-sync.yml:

name: "Sync with JIRA"

on:
  schedule:
    - cron: '*/10 * * * *'    # trigger synchronization every 10 minutes

jobs:
  test_job:
    runs-on: ubuntu-latest
    steps:
      - name: Sync with JIRA
        uses: johnlugton/lgtm-issue-tracker-example@master
        with:
          jira_url: '<INSERT JIRA SERVER URL>'
          jira_user: '${{ secrets.JIRA_USER }}'
          jira_token: '${{ secrets.JIRA_TOKEN }}'
          jira_project: '<INSERT JIRA PROJECT KEY>'
          sync_direction: 'gh2jira'

This action will push any changes (new alerts, alerts deleted, alert states changed) to JIRA, by creating, deleting or changing the state of the corresponding JIRA issues. If you set sync_direction to jira2gh, it will synchronize the other way. Currently, two-way integration is not yet possible via the action. If you need it, use the CLI's serve command (see below).

Using the CLI's sync command

Installation

The easiest way to get the CLI running is with pipenv:

pipenv install
pipenv run ./gh2jira --help

Note: gh2jira requires a minimum of python3.5.

In addition to the usual requirements you also need:

  • the URL for the GitHub API, which is
  • a GitHub personal access token, so that the program can fetch alerts from your repository. Follow this guide to obtain a dedicated token. It will have to have at least the security_events scope.
pipenv run ./gh2jira sync
                 --gh-url "<INSERT GITHUB API URL>"
                 --gh-token "<INSERT GITHUB PERSONAL ACCESS TOKEN>"
                 --gh-org "<INSERT REPO ORGANIZATON>"
                 --gh-repo "<INSERT REPO NAME>"
                 --jira-url "<INSERT JIRA SERVER INSTANCE URL>"
                 --jira-user "<INSERT JIRA USER>"
                 --jira-token "<INSERT JIRA PASSWORD>"
                 --jira-project "<INSERT JIRA PROJECT KEY>"
                 --direction gh2jira

Note: Instead of the --gh-token and --jira-token options, you may also set the GH2JIRA_GH_TOKEN and GH2JIRA_JIRA_TOKEN environment variables. The above command could be invoked via a cronjob every X minutes, to make sure issues and alerts are kept in sync. Currently, two-way integration is not yet possible via this command. If you need it, use the CLI's serve command (see below).

Using the CLI's serve command

The following method is the most involved one, but currently the only one which allows two-way integration (i.e. changes to Code Scanning alerts trigger changes to JIRA issues and vice versa). It uses a lightweight Flask server to handle incoming JIRA and GitHub webhooks. The server is meant to be an example and not production-ready.

In addition to the usual requirements you also need:

  • A machine with an address that can be reached from GitHub.com or your GitHub Enterprise Server instance and your JIRA Server instance. This machine will run the server.
  • Webhooks set up, both, on GitHub and JIRA. On GitHub only repository or organization owners can do so. On JIRA it requires administrator access.
  • A secret which will be used to verify webhook requests.

First, create a GitHub webhook with the following event triggers:

This can be either a repository or an organization-wide hook. Set the Payload URL to https://<the machine>/github, the Content type to application/json and insert your webhook Secret. Make sure to Enable SSL verification.

Second, register a webhook on JIRA. Give your webhook a Name and enter the URL: https://<the machine>/jira?secret_token=<INSERT WEBHOOK SECRET>. In the Events section specify All issues and mark the boxes created, updated and deleted. Click Save.

Finally, start the server:

pipenv run ./gh2jira serve
                 --gh-url "<INSERT GITHUB API URL>"
                 --gh-token "<INSERT GITHUB PERSONAL ACCESS TOKEN>"
                 --jira-url "<INSERT JIRA SERVER INSTANCE URL>"
                 --jira-user "<INSERT JIRA USER>"
                 --jira-token "<INSERT JIRA PASSWORD>"
                 --jira-project "<INSERT JIRA PROJECT KEY>"
                 --secret "<INSERT WEBHOOK SECRET>"
                 --port 5000
                 --direction both

This will enable two-way integration between GitHub and JIRA. Note: Instead of the --secret option, you may also set the GH2JIRA_SECRET environment variable.

Contributing

To be determined.

License

To be determined.