Secure Source Manager is generally available (GA) by invitation only. To use Secure Source Manager, contact your Google Account team.

Set up webhooks

This page describes how to set up webhooks in Secure Source Manager.

Webhooks are HTTP requests triggered by an event in Secure Source Manager, and sent to a user-specified URL.

Before you begin

Required roles

To get the permissions that you need to create webhooks, ask your administrator to grant you the following IAM roles:

Secure Source Manager Repository Admin (roles/securesourcemanager.repoAdmin) on the Secure Source Manager repository
Secure Source Manager Instance Accessor (roles/securesourcemanager.instanceAccessor) on the Secure Source Manager instance

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

For information on granting Secure Source Manager roles, see Access control with IAM and Grant users instance access.

Set up a webhook

In the Secure Source Manager web interface, navigate to the repository you want to create a webhook for.
Click Settings.
Click Webhooks, and then click Add webhook.
In the Hook ID field, enter an ID for the webhook.

Note: Hook IDs must follow the resource naming convention. They must include only lower case letters, numbers, or dashes, must begin with a letter, and cannot be changed after creating the webhook.
In the Target URL field, enter the Webhook URL. For example, if you want to trigger a build in Jenkins, you could Set up a webhook trigger, and then enter the Jenkins trigger URL here to trigger your build in Jenkins.
If the Webhook URL contains your key and secret values entered when you created your webhook trigger, remove them from the end of the target URL and copy them to the Sensitive Query String field.

To locate your key and secret in your webhook URL, look for the text starting with key=

For example, given the following URL: https://cloudbuild.googleapis.com/v1/projects/my-project/triggers/test-trigger:webhook?key=eitIfKhYnv0LrkdsyHqIros8fbsheKRIslfsdngf&secret=Hello%20Secret%20Manager

Copy and remove the portion starting with the question mark ?key=... from the Target URL field. Then remove the initial question mark, move the remaining portion key=... to the Sensitive Query String field.
In the Trigger on section, select one of the following:
- Push: to trigger on a push to the repository.
- Pull request state changed: to trigger on a change in the pull request state.
If you selected Push, then you can enter an allowlist for push events in the Branch filter field.

The Branch filter field uses the glob pattern and only operations on the matched branches will cause a build trigger. If the field is empty or *, then push events for all branches are reported. For information on syntax, see the glob documentation.
Click Add webhook.
The webhook is displayed in the Webhooks page.

Note: When you add or edit a webhook, the length of the Sensitive Query String might be inconsistent with the entered one, which is expected as placeholder strings are used to ensure security.

Test your webhook

In the Secure Source Manager Webhooks page, click the webhook you want to test.
Go to the bottom of the page and click Test delivery.

A placeholder event is added to the delivery queue. It might take a few seconds before it shows up in the delivery history.
You can also use a git command to push or merge a pull request to test the webhook.
Check the status of the triggered build or event in the build history of the service where you configured your webhook trigger.
You can also view the Request and Response to the test delivery in the Recent deliveries section of the Secure Source Manager webhook page after you send your first test delivery.

Substitute Cloud Build YAML variables with payload data

If you're using webhooks to connect to Cloud Build, you can substitute Cloud Build YAML variables with Secure Source Manager webhook payload data.

In the Secure Source Manager Webhooks page, in the Recent deliveries section, click the top row.

The Request header and content sent by the webhook payload is displayed.
Navigate to the Cloud Build dashboard, and then click Triggers.
Click the trigger you want to configure.
In the Advanced section, under Substitution variables, click + Add variable.
Enter the name and value of the variable. The value prefix is body.

For example, to substitute _REPO_URL with the payload data field repository.clone_url and _COMMIT_SHA with latest commit sha in Cloud Build YAML, enter the following names and values:
- Variable 1: _REPO_URL Value 1: $(body.repository.clone_url)
- Variable 2: _COMMIT_SHA Value 2: $(body.after)
The Cloud Build YAML file resembles the following:
```
steps:
- name: gcr.io/cloud-builders/git
  env:
  - '_REPO_URL=$_REPO_URL'
  - '_COMMIT_SHA=$_COMMIT_SHA'
  script: |
    #!/bin/sh
    git clone ${_REPO_URL} /workspace
    cd /workspace
    git reset --hard ${_COMMIT_SHA}
```

What's next

Connect to Jenkins