Pipeline events on webhook give 403 error

Why is this closed/not fixed?

Triggering a webhook from pipeline events was purposefully removed to address a potential DoS through recursive requests. We are looking at alternative ways to support the use cases to drive automation based on status change of pipelines.

Summary

Triggering a webhook with pipeline events return HTTP 403 {"message":"403 Forbidden"} while other events on the same repo and the same request trigger the request.

In my use case, I am trying to fire a pipeline of another repository when the pipeline of the current one has a change.

Steps to reproduce

Create a target repository, let's call it A.
Create a pipeline in branch master of A and get a trigger on it https://gitlab.com/api/v4/projects/A/ref/master/trigger/pipeline?token=TOKEN
Create a repository that will trigger the previous pipeline, let's call it B.
Create a pipeline in B to test the trigger.
Go to webhooks settings on B, and set the callback to our previous address (https://gitlab.com/api/v4/projects/A/ref/master/trigger/pipeline?token=TOKEN)
Test the webhook by clicking on the Test button:
- Push, tag, job, etc. trigger the pipeline
- Pipeline event return a HTTP 403 {"message":"403 Forbidden"} message

Example Project

Repository A with pipelines: https://gitlab.com/tests-for-issues/has-pipelines
Repository B with webhooks: https://gitlab.com/tests-for-issues/has-webhooks

What is the current bug behavior?

Pipeline events do not trigger the webhook, while other events do.

What is the expected correct behavior?

All events to have the same behavior: triggering the requested webhook.

Relevant logs and/or screenshots

Request URL: POST https://gitlab.com/api/v4/projects/17451227/ref/master/trigger/pipeline?token=0cc409ae28859095d0ef44e8864f83 403

Trigger: Pipeline Hook

Elapsed time: 0.04 sec

Request time: 1 minute ago
Request headers:

Content-Type: application/json
X-Gitlab-Event: Pipeline Hook

Request body:

{
  "object_kind": "pipeline",
  "object_attributes": {
    "id": 125798986,
    "ref": "master",
    "tag": false,
    "sha": "c7a91c2948d8f3af0a111e7be75f74a44d7e0721",
    "before_sha": "0000000000000000000000000000000000000000",
    "source": "push",
    "status": "success",
    "detailed_status": "passed",
    "stages": [
      "build",
      "test",
      "deploy"
    ],
    "created_at": "2020-03-12 17:44:35 UTC",
    "finished_at": "2020-03-12 17:45:49 UTC",
    "duration": 71,
    "variables": [

    ]
  },
  "merge_request": null,
  "user": {
    "name": "adin",
    "username": "adin",
    "avatar_url": "https://secure.gravatar.com/avatar/3b5849a92110cd21391b45d82d2a11f2?s=80&d=identicon",
    "email": "adin.riv@gmail.com"
  },
  "project": {
    "id": 17451296,
    "name": "has-webhooks",
    "description": "",
    "web_url": "https://gitlab.com/tests-for-issues/has-webhooks",
    "avatar_url": null,
    "git_ssh_url": "git@gitlab.com:tests-for-issues/has-webhooks.git",
    "git_http_url": "https://gitlab.com/tests-for-issues/has-webhooks.git",
    "namespace": "Tests for Issues",
    "visibility_level": 20,
    "path_with_namespace": "tests-for-issues/has-webhooks",
    "default_branch": "master",
    "ci_config_path": null
  },
  "commit": {
    "id": "c7a91c2948d8f3af0a111e7be75f74a44d7e0721",
    "message": "Add .gitlab-ci.yml",
    "title": "Add .gitlab-ci.yml",
    "timestamp": "2020-03-12T17:44:34+00:00",
    "url": "https://gitlab.com/tests-for-issues/has-webhooks/-/commit/c7a91c2948d8f3af0a111e7be75f74a44d7e0721",
    "author": {
      "name": "adin",
      "email": "adin.riv@gmail.com"
    }
  },
  "builds": [
    {
      "id": 469811722,
      "stage": "deploy",
      "name": "deploy1",
      "status": "success",
      "created_at": "2020-03-12 17:44:35 UTC",
      "started_at": "2020-03-12 17:45:24 UTC",
      "finished_at": "2020-03-12 17:45:49 UTC",
      "when": "on_success",
      "manual": false,
      "allow_failure": false,
      "user": {
        "name": "adin",
        "username": "adin",
        "avatar_url": "https://secure.gravatar.com/avatar/3b5849a92110cd21391b45d82d2a11f2?s=80&d=identicon",
        "email": "adin.riv@gmail.com"
      },
      "runner": {
        "id": 44949,
        "description": "shared-runners-manager-4.gitlab.com",
        "active": true,
        "is_shared": true
      },
      "artifacts_file": {
        "filename": null,
        "size": null
      }
    },
    {
      "id": 469811718,
      "stage": "test",
      "name": "test1",
      "status": "success",
      "created_at": "2020-03-12 17:44:35 UTC",
      "started_at": "2020-03-12 17:45:04 UTC",
      "finished_at": "2020-03-12 17:45:24 UTC",
      "when": "on_success",
      "manual": false,
      "allow_failure": false,
      "user": {
        "name": "adin",
        "username": "adin",
        "avatar_url": "https://secure.gravatar.com/avatar/3b5849a92110cd21391b45d82d2a11f2?s=80&d=identicon",
        "email": "adin.riv@gmail.com"
      },
      "runner": {
        "id": 44949,
        "description": "shared-runners-manager-4.gitlab.com",
        "active": true,
        "is_shared": true
      },
      "artifacts_file": {
        "filename": null,
        "size": null
      }
    },
    {
      "id": 469811720,
      "stage": "test",
      "name": "test2",
      "status": "success",
      "created_at": "2020-03-12 17:44:35 UTC",
      "started_at": "2020-03-12 17:45:04 UTC",
      "finished_at": "2020-03-12 17:45:23 UTC",
      "when": "on_success",
      "manual": false,
      "allow_failure": false,
      "user": {
        "name": "adin",
        "username": "adin",
        "avatar_url": "https://secure.gravatar.com/avatar/3b5849a92110cd21391b45d82d2a11f2?s=80&d=identicon",
        "email": "adin.riv@gmail.com"
      },
      "runner": {
        "id": 44028,
        "description": "shared-runners-manager-3.gitlab.com",
        "active": true,
        "is_shared": true
      },
      "artifacts_file": {
        "filename": null,
        "size": null
      }
    },
    {
      "id": 469811716,
      "stage": "build",
      "name": "build1",
      "status": "success",
      "created_at": "2020-03-12 17:44:35 UTC",
      "started_at": "2020-03-12 17:44:35 UTC",
      "finished_at": "2020-03-12 17:45:02 UTC",
      "when": "on_success",
      "manual": false,
      "allow_failure": false,
      "user": {
        "name": "adin",
        "username": "adin",
        "avatar_url": "https://secure.gravatar.com/avatar/3b5849a92110cd21391b45d82d2a11f2?s=80&d=identicon",
        "email": "adin.riv@gmail.com"
      },
      "runner": {
        "id": 44028,
        "description": "shared-runners-manager-3.gitlab.com",
        "active": true,
        "is_shared": true
      },
      "artifacts_file": {
        "filename": null,
        "size": null
      }
    }
  ]
}

Response headers:

Server: nginx
Date: Thu, 12 Mar 2020 17:45:49 GMT
Content-Type: application/json
Content-Length: 27
Connection: close
Cache-Control: no-cache
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Request-Id: 3grXcTEgFI
X-Runtime: 0.017008
Ratelimit-Limit: 600
Ratelimit-Observed: 13
Ratelimit-Remaining: 587
Ratelimit-Reset: 1584035209
Ratelimit-Resettime: Thu, 12 Mar 2020 17:46:49 GMT
Gitlab-Lb: fe-17-lb-gprd
Gitlab-Sv: localhost

Response body:

{"message":"403 Forbidden"}

Output of checks

This bug happens on GitLab.com

Related Issues Table

Group	Issue Link	Notes
backend	👈 You are here	`Cancelled` - Not wanted to create inconsistency between SM and .com
backend	Update error message for pipeline events on webhook

Edited Jul 05, 2022 by Mark Nuzzo