Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Trigger last pipeline using the API

Deleted user September 2, 2021

Hello, I want to trigger a pipeline from one repository of my organization using the API.

I had a look at this post and this documentation but it doesn't seem to work. 

So I went to https://bitbucket.org/account/settings/app-passwords/ and I created an app password with all the rights (I guess I just need "write" on "pipeline" but this is just for testing).

Then I used this curl command:

curl -X POST -is -u <user@organization.com>:<myapppassword> \
-H 'Content-Type: application/json' \
  https://api.bitbucket.org/2.0/repositories/<organization>/<repo>/pipelines/ \
-d '
{
"target": {
"ref_type": "branch",
"type": "pipeline_ref_target",
"ref_name": "master"
}
}'


But it gives me a 401 error.

if I use my account password, the query is successful and it triggers the pipeline.

For obvious security reasons I don't want to use my password to trigger a pipeline through a script, but just a token I can revoke at any time.

Any idea how I can trigger the pipeline using the API? 

 

1 answer

0 votes
Oleksandr Kyrdan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 3, 2021

Hi @[deleted]

Thank you for your question!

It's a good case for trigger-pipeline pipe.

To use this pipe, you need to generate an app password. Remember to check the Pipelines Write and Repositories Read permissions when generating the app password. If you want to trigger a pipeline in a repository owned by a team account, make sure you have the correct access to the repository.

This pipe will trigger the branch pipeline for master in your-awesome-repo. This pipeline will continue, without waiting for the triggered pipeline to complete.

script:
  - pipe: atlassian/trigger-pipeline:4.2.1
    variables:
      BITBUCKET_USERNAME: $BITBUCKET_USERNAME
      BITBUCKET_APP_PASSWORD: $BITBUCKET_APP_PASSWORD
      REPOSITORY: 'your-awesome-repo'

Or 

This pipe will trigger the branch pipeline for master in your-awesome-repo that is owned by the teams-in-space Bitbucket account.

script:
  - pipe: atlassian/trigger-pipeline:4.2.1
    variables:
      BITBUCKET_USERNAME: $BITBUCKET_USERNAME
      BITBUCKET_APP_PASSWORD: $BITBUCKET_APP_PASSWORD
      REPOSITORY: 'your-awesome-repo'
      ACCOUNT: 'teams-in-space'


To discover more pipes, visit our Bitbucket Pipes Marketplace.

 

Cheers,
Oleksandr Kyrdan

Deleted user September 5, 2021

Hello Oleksandr,

Thank you for your answer, but I am interested to make it work with Curl, or any other HTTP clients (As we use it to trigger the pipeline from a Laravel application). I don't plan to trigger the pipeline from another pipeline.

Creating an app password with the Pipelines Write and Repositories Read permissions don't seem to be enough as I get a 401 response from Nginx.

HTTP/2 401
server: nginx
vary: Origin
www-authenticate: Basic realm="Bitbucket.org HTTP"
cache-control: no-cache, no-store, must-revalidate, max-age=0
content-type: text/html; charset=utf-8

I have full access to the repository I want to trigger the pipeline, as I can modify the settings of the pipeline or any repository settings.

Is there another step to do as the repository is under a team workspace? Having global rights on the team workspace?

Best Regards,
François
 

Oleksandr Kyrdan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 9, 2021

@[deleted] 

Please take a look at trigger pipeline pipe source code under the hood, as it's open sourced )

Here are payload structure and parameters required for programmatically API interaction from the Python code.

Note! Remember to check the Pipelines Write and Repositories Read permissions when generating the app password.

If you have right permissions to the team workspace app password should work.

 

Cheers,
Oleksandr Kyrdan

Deleted user September 9, 2021

So, I managed to make it work with the same CuRL request as the one posted earlier, but with:
username: "<name><lastname>" of the creator of the team
password: app password generated by the creator of the team, with Pipelines Write and Repositories Read permissions.

I don't get why we can't create API token at a repository level, using a user account for it doesn't make sense when we trigger the pipeline from an application.

Furthermore, the token gives access to every repository of the user, which is way too extensive, it should be possible to restrict the token to only 1 repo.

If the token is compromised, anyone can trigger pipelines for the whole organization...

Regards,
Francois

Oleksandr Kyrdan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 9, 2021

@[deleted]  thanks, good suggestion.

It's a good practice to rotate generated secrets periodically.

As an alternative you could use an OAuth consumer on Bitbucket Cloud.

If you’d like to suggest feature to improve, please, find the appropriate ticket in the list of existing tickets, vote for them or create a new suggestion request with type Suggestion.

 

Best regards,
Oleksandr Kyrdan

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events