Hello, I want to trigger a pipeline from one repository of my organization using the API.
I had a look at this post and this documentation but it doesn't seem to work.
So I went to https://bitbucket.org/account/settings/app-passwords/ and I created an app password with all the rights (I guess I just need "write" on "pipeline" but this is just for testing).
Then I used this curl command:
curl -X POST -is -u <user@organization.com>:<myapppassword> \
-H 'Content-Type: application/json' \
https://api.bitbucket.org/2.0/repositories/<organization>/<repo>/pipelines/ \
-d '
{
"target": {
"ref_type": "branch",
"type": "pipeline_ref_target",
"ref_name": "master"
}
}'
But it gives me a 401 error.
if I use my account password, the query is successful and it triggers the pipeline.
For obvious security reasons I don't want to use my password to trigger a pipeline through a script, but just a token I can revoke at any time.
Any idea how I can trigger the pipeline using the API?
Hi @[deleted]
Thank you for your question!
It's a good case for trigger-pipeline pipe.
To use this pipe, you need to generate an app password. Remember to check the Pipelines Write
and Repositories Read
permissions when generating the app password. If you want to trigger a pipeline in a repository owned by a team account, make sure you have the correct access to the repository.
This pipe will trigger the branch pipeline for master
in your-awesome-repo
. This pipeline will continue, without waiting for the triggered pipeline to complete.
script: - pipe: atlassian/trigger-pipeline:4.2.1 variables: BITBUCKET_USERNAME: $BITBUCKET_USERNAME BITBUCKET_APP_PASSWORD: $BITBUCKET_APP_PASSWORD REPOSITORY: 'your-awesome-repo'
Or
This pipe will trigger the branch pipeline for master
in your-awesome-repo
that is owned by the teams-in-space
Bitbucket account.
script: - pipe: atlassian/trigger-pipeline:4.2.1 variables: BITBUCKET_USERNAME: $BITBUCKET_USERNAME BITBUCKET_APP_PASSWORD: $BITBUCKET_APP_PASSWORD REPOSITORY: 'your-awesome-repo' ACCOUNT: 'teams-in-space'
To discover more pipes, visit our Bitbucket Pipes Marketplace.
Cheers,
Oleksandr Kyrdan
Hello Oleksandr,
Thank you for your answer, but I am interested to make it work with Curl, or any other HTTP clients (As we use it to trigger the pipeline from a Laravel application). I don't plan to trigger the pipeline from another pipeline.
Creating an app password with the Pipelines Write
and Repositories Read
permissions don't seem to be enough as I get a 401 response from Nginx.
HTTP/2 401
server: nginx
vary: Origin
www-authenticate: Basic realm="Bitbucket.org HTTP"
cache-control: no-cache, no-store, must-revalidate, max-age=0
content-type: text/html; charset=utf-8
I have full access to the repository I want to trigger the pipeline, as I can modify the settings of the pipeline or any repository settings.
Is there another step to do as the repository is under a team workspace? Having global rights on the team workspace?
Best Regards,
François
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@[deleted]
Please take a look at trigger pipeline pipe source code under the hood, as it's open sourced )
Here are payload structure and parameters required for programmatically API interaction from the Python code.
Note! Remember to check the Pipelines Write
and Repositories Read
permissions when generating the app password.
If you have right permissions to the team workspace app password should work.
Cheers,
Oleksandr Kyrdan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
So, I managed to make it work with the same CuRL request as the one posted earlier, but with:
username: "<name><lastname>" of the creator of the team
password: app password generated by the creator of the team, with Pipelines Write
and Repositories Read
permissions.
I don't get why we can't create API token at a repository level, using a user account for it doesn't make sense when we trigger the pipeline from an application.
Furthermore, the token gives access to every repository of the user, which is way too extensive, it should be possible to restrict the token to only 1 repo.
If the token is compromised, anyone can trigger pipelines for the whole organization...
Regards,
Francois
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@[deleted] thanks, good suggestion.
It's a good practice to rotate generated secrets periodically.
As an alternative you could use an OAuth consumer on Bitbucket Cloud.
If you’d like to suggest feature to improve, please, find the appropriate ticket in the list of existing tickets, vote for them or create a new suggestion request with type Suggestion.
Best regards,
Oleksandr Kyrdan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.