403 "invalid secret" after updating automatic build webhook on GitHub

I followed the instructions in the blogpost to move the arduino snap from build.snapcraft.io to the new snapcraft.io builder. Basically, I changed the webhook url to https://snapcraft.io/arduino/webhook/notify

This doesn’t seem to work, however. I get a 403 as response:

Body

Invalid secret

Headers

Content-Length: 14
Content-Type: text/html; charset=utf-8
Date: Tue, 05 May 2020 21:53:47 GMT
Link: <https://assets.ubuntu.com>; rel=preconnect; crossorigin, <https://assets.ubuntu.com>; rel=preconnect, <https://res.cloudinary.com>; rel=preconnect, <https://dashboard.snapcraft.io>; rel=preconnect
Server: nginx/1.14.0 (Ubuntu)
Strict-Transport-Security: max-age=15724800
X-Hostname: snapcraft-io-7c96967db6-4wdg5
X-Request-Id: 79d5ead228ea92b52864883e4509eb80
X-VCS-Revision: 1588595333-c8ef198
X-View-Name: webapp.publisher.snaps.build_views.publisher_snaps.post_github_webhook

How can I fix this?

Ping? It seems the webhook for every snap I maintain gives a 403 error since following the instructions in the blogpost.

@popey are you seeing the same thing with the snapcrafters snaps?

After removing the webhook, disconnecting the repo from snapcraft.io, and connecting the repo again, builds started working again.

Can the instructions in the blogpost be updated to do this sequence of steps, please? I’m sure many people will run into the same issue. Other people have posted to this same category: New build webhook URL doesn't work

I also have this issue (I am the one who posted the topic @galgalesh linked to)!

@galgalesh It warns that “previous builds will be deleted” when reconnecting. Is it still fine just to disconnect and reconnect?

Yes, the builds stay available in the “releases” page. the only thing you seem to lose are the build logs of old builds. New builds have build logs again.

@galgalesh @prytz - when changing the URL is the secret input empty? Changing the URL should “Just Work” and did during our testing. Any more information would be useful thanks :)!

@Lukewh I did not change the secret, I just changed the URL. The secret that was used on the previous URL was used on the new one but it still generated the “Invalid secret” response as @galgalesh posted earlier.

@prytz thanks - we’ll have a deeper look. If the secret was untouched things should have worked as normal so there is definitely a bug somewhere.

@Lukewh

I also started with only changing the URL. After that, I tried to remove the secret, but then I got a 500 error instead.

I still have some repos’ in a broken state, so let me know if I can provide you with more information. ghtt is one of them: https://github.com/IBCNServices/ghtt links to https://snapcraft.io/ghtt/webhook/notify

I am also facing this - all repos which previously used build.snapcraft.io are now failing automatic builds due to “invalid secret” - all I did was change the URL on the github side, I didn’t change the secret…

Exact same issue here.

Same here. I’m switching back to the old URL for now.

@lukewh This is also impacting the supertuxkart snap at https://github.com/diddlesnaps/supertuxkart. The response from the snapcraft.io server is 403 (Access Denied) which indicates that it thinks the secret is wrong (also it says “Invalid secret” in the body of the response to reinforce the thought):

Github shows the latest request’s response from snapcraft.io as:

Content-Length: 14
Content-Type: text/html; charset=utf-8
Date: Mon, 20 Jul 2020 16:04:31 GMT
Link: <https://assets.ubuntu.com>; rel=preconnect; crossorigin, <https://assets.ubuntu.com>; rel=preconnect, <https://res.cloudinary.com>; rel=preconnect, <https://dashboard.snapcraft.io>; rel=preconnect
Server: nginx/1.14.0 (Ubuntu)
Strict-Transport-Security: max-age=15724800
X-Hostname: snapcraft-io-758d47cf64-wx8c2
X-Request-Id: 025a935ae18ce59c4eb7e84e367e8d11
X-Vcs-Revision: 1595233813-b3df4fd
X-View-Name: webapp.publisher.snaps.build_views.publisher_snaps.post_github_webhook

This issue was fixed, previous secrets from build.snapcraft.io will work.