Use webhooks with AWS CodeBuild
AWS CodeBuild supports webhook integration with GitHub, GitHub Enterprise Server, GitLab, GitLab Self Managed, and Bitbucket.
Topics
Best practices for using webhooks with AWS CodeBuild
For projects that use public repositories to setup webhooks, we recommend the following options:
- Setup
ACTOR_ACCOUNT_ID
filters -
Add
ACTOR_ACCOUNT_ID
filters to your project’s webhook filter groups to specify which users can trigger a build. Every webhook event delivered to CodeBuild comes with sender information that specifies the actor's identifier. CodeBuild will filter the webhooks based on the regular expression pattern provided in the filters. You can specify the specific users that are allowed to trigger builds with this filter. For more information, see GitHub webhook events and Bitbucket webhook events. - Setup
FILE_PATH
filters -
Add
FILE_PATH
filters to your project’s webhook filter groups to include or exclude the files that can trigger a build when changed. For example, you can deny build requests for changes to thebuildspec.yml
file using a regular expression pattern such as^buildspec.yml$
, along with theexcludeMatchedPattern
property. For more information, see GitHub webhook events and Bitbucket webhook events. - Scope down the permissions for your build IAM role
-
Builds triggered by a webhook use the IAM service role specified in the project. We recommend setting the permissions in the service role to the minimum set of permissions required to run the build. For example, in a test and deploy scenario, create one project for testing and another project for deployment. The testing project accepts webhook builds from the repository, but provides no write permissions to your resources. The deployment project provides write permissions to your resources, and the webhook filter is configured to only allow trusted users to trigger builds.
- Use an inline or an Amazon S3 stored buildspec
-
If you define your buildspec inline within the project itself, or store the buildspec file in an Amazon S3 bucket, the buildspec file is only visible to the project owner. This prevents pull requests from making code changes to the buildspec file and triggering unwanted builds. For more information, see ProjectSource.buildspec in the CodeBuild API Reference.