Cloud Build enables you to define webhook triggers, which can authenticate and accept incoming webhook events. These events, sent to a custom URL, allow you to directly connect external systems and external source code management systems such as Bitbucket.com, Bitbucket Server, or GitLab, to Cloud Build through webhook events.
With webhook triggers, you can define an inline build configuration file rather than specify a source when creating your trigger. The inline build configuration enables you to have control over git operations and define the rest of your build.
This page outlines how you can create webhook triggers to automate builds in response to webhook events.
Before you begin
-
Enable the Cloud Build and Secret Manager APIs.
To use
gcloud
commands on this page, install the Google Cloud CLI.
Creating webhook triggers
Console
To create a webhook trigger using the Google Cloud console:
Open the Triggers page:
Select your project from the top of the page and click Open.
Click Create trigger.
Enter the following trigger settings:
- Name: A name for your trigger.
Region: Select the region for your trigger.
- If the build config file associated with the trigger specifies a private pool, Cloud Build uses the private pool to run your build. In this case, the region you specify in your trigger must match the region where you created your private pool.
- If the build config file associated with the trigger does not specify a private pool, Cloud Build uses the default pool to run your build in the same region as your trigger.
Description (Optional): A description for your trigger.
Event: Select Webhook event to set up your trigger to start builds in response to incoming webhook events.
Webhook URL: Use the webhook URL to authenticate incoming webhook events.
Secret: You will need a secret to authenticate incoming webhook events. You can create a new secret or use an existing secret. This secret is separate from the secret associated with your SSH key.
To create a new secret:
- Select Use a new secret (generated by Cloud Build).
Click Create Secret.
You will see the Create a webhook secret pop-up box.
In the Secret name field, enter a name for your secret.
Click Create secret to save your secret, which will automatically be created and stored for you in Secret Manager.
To use an existing secret:
- Select Use an existing secret or create your own.
- In the Secret field, select the name of the secret you want to use from the drop-down menu or follow the instructions to add a secret by resource ID.
- In the Secret version field, select your secret version from the drop-down menu.
If you use an existing secret, you may need to manually grant the Secret Manager Secret Accessor role to your Cloud Build service account,
service-${PROJECT_NUMBER}@gcp-sa-cloudbuild.iam.gserviceaccount.com
. To learn more, see Granting Secret Manager role to your service account.
After you have created or selected your secret, you will see a Webhook URL preview. Your URL will contain an API key generated by Cloud Build and your secret. If Cloud Build is unable to retrieve your API key, you can manually add your API key to the URL or learn how to obtain an API key if you do not have one yet.
You can use the URL to invoke a webhook event by making an HTTP request using the POST method.
Use the following command to invoke a webhook event:
curl -X POST -H "Content-type: application/json" "https://cloudbuild.googleapis.com/v1/projects/${PROJECT_ID}/locations/${REGION}/triggers/${TRIGGER_NAME}:webhook?key=${API_KEY}&secret=${SECRET_VALUE}&trigger=${TRIGGER_NAME}&projectId=${PROJECT_ID}" -d "{}"
After completing these steps, the Secret Manager Secret Accessor role will automatically be granted to your Cloud Build service agent,
service-${PROJECT_NUMBER}@gcp-sa-cloudbuild.iam.gserviceaccount.com
. If you do not see this role automatically added to your service agent, complete the following steps outlined in Granting Secret Manager role to your service account.Source (optional): Select the source to build when the webhook trigger runs. If you're specifying an inline build configuration, you're not required to specify the following source. You can specify 1st generation or 2nd generation as your source. To learn more, see Cloud Build repositories.
Repository: From the list of available repositories, select the desired repository.
Branch or Tag: Specify a regular expression with the branch or tag value to match. For information on acceptable regular expression syntax, see RE2 syntax.
Comment control: If you selected Pull request (GitHub App only) as your Event, choose one of the following options to control whether a build will automatically be executed by the trigger:
Required except for owners and collaborators: When a pull request is created or updated by a repository owner or collaborator, builds will automatically be executed by the trigger. If an external contributor initiates the action, builds will only be executed after an owner or collaborator comments
/gcbrun
on the pull request.Required: When a pull request is created or updated by any contributor, builds will only be executed after an owner or collaborator comments
/gcbrun
on the pull request. Builds are executed each time a change to a pull request is made.Not required: When a pull request is created or updated by any contributor, builds will automatically be executed by triggers.
Configuration: Select the build config file located in your remote repository or create an inline build config file to use for your build. If you did not specify a source repository, you must select an Inline build config file as your configuration option.
- Type: Select the type of configuration to use for your build.
- Cloud Build configuration file (yaml or json): Use a build config file for your configuration.
- Dockerfile: Use a
Dockerfile
for your configuration. - Buildpacks: Use buildpacks for your configuration.
Location: Specify the location for your configuration.
- Repository: If your config file is located in your
remote repository, provide the location of your
build config file, the
Dockerfile
directory, or the buildpacks directory. If your build config type is aDockerfile
or a buildpack, you will need to provide a name for the resulting image and optionally, a timeout for your build. When you've provided theDockerfile
or buildpack image name, you'll see a preview of thedocker build
orpack
command that your build will execute. - Buildpack environment variables (optional): If you
selected
buildpacks
as your configuration type, click Add pack environment variable to specify your buildpack environment variables and values. To learn more about buildpack environment variables, see Environment variables. Inline: If you selected Cloud Build configuration file (yaml or json) as your configuration option, you can specify your build config inline. Click Open Editor to write your build config file in the Google Cloud console using YAML or JSON syntax. Click Done to save your build config.
- Repository: If your config file is located in your
remote repository, provide the location of your
build config file, the
In the following example, the inline build config file logs echoes "hello world":
steps: - name: 'ubuntu' args: ['echo', 'hello world']
- Type: Select the type of configuration to use for your build.
Substitutions (optional): If you selected the build config file as your build config option or created an inline build config file, you can choose to define trigger-specific substitution variables using this field. You can also obtain data using payload bindings when defining substitution variables values.
Filters (optional): You can create a rule within a trigger that determines whether or not your trigger will execute a build based on your substitution variables.
Click Create to create your build trigger.
gcloud
(Optional) Obtaining an API key
To authenticate your incoming webhook event, you need an API key.
To obtain an API key:
Open the Credentials page in the Google Cloud console:
Click Create credentials.
Click API Key.
You will see a dialog with your API key created. Take note of your API key.
If you would like to restrict your key for product applications, click Restrict key to complete additional steps to secure your key. Otherwise, click Close.
To learn how to restrict your key, see Applying API key restrictions.
(Optional) Granting Secret Manager role to your service account
Cloud Build automatically grants the Secret Manager Secret Accessor role to service accounts that require the role during secret configuration. If you do not see this role automatically granted to the necessary service account, complete the following steps to manually add the role so that your service account has access to your secret:
Open the IAM page in the Google Cloud console:
Optional: To see Google-provided accounts, select the Include Google-provided role grants checkbox.
Take note of the build service account you would like to grant the role to.
Open the Secret Manager page in the Google Cloud console:
Click on the name of your secret.
You will see the Secret details page.
Click on the Permissions tab.
Click on Grant access.
You will see the Grant access panel.
In the Add Principals section, add the email associated with the build service account.
In the Assign roles section, select Secret Manager > Secret Manager Secret Accessor.
Click Save.
What's next
- Learn how to create and manage triggers.
- Learn how to build repositories hosted on on Bitbucket Server.
- Learn how to start builds manually.
- Learn how to view build results.
- Learn how to troubleshoot build errors.