Skip to main content
Version: Release 22.1

External Script Tasks

An External Script task points to a Jython or Groovy script that will be executed on the Release server. This is an automated task that completes automatically when the script finishes successfully. The task detects the language of the script by the file name extension.

The External Script task type only supports basic HTTP authentication. You must provide an HTTP/HTTPS URL that points to a script file. The task type does not support other protocols.

For an example showing how you can use the External Script task type, see Create a release from a Git repository.

External Script Task Details

In the release flow editor, External Script tasks are marked with a gray border.

Security and External Script tasks

When an External Script task becomes active, the script is executed in a sandbox environment on the Release server. The script has very restricted permissions. By default, access to the file system, network, and non API related classes is not allowed.

To remove these restrictions, add a script.policy file to the XL_RELEASE_SERVER_HOME/conf directory. This is a standard Java Security Policy file that contains the permissions that a script should have.

To enable the use of additional Java packages or classes in the script, use the following Release specific RuntimePermission:

permission  com.xebialabs.xlrelease.script.security.RuntimePermission "accessClass.com.company.domain.*";
permission  com.xebialabs.xlrelease.script.security.RuntimePermission "accessClass.com.company.utils.HelperClass";

You must restart the Release server after creating or changing the XL_RELEASE_SERVER_HOME/conf/script.policy file.

Variable Interpolation

You can insert release, folder, or global variables directly into the script using the standard ${variable_name} syntax. However, users should exercise caution when interpolating variables because of the potential for insecurities and code injections, and it is not a recommended practice. This capability will be removed in a future update.

Variable interpolation replaces the ${variable_name} text in the script with the variable value "as is", without any escaping. This means that it will definitely fail if your variable value contains double quotes or new lines and if your Jython code looks like this:

x = "${myvariable}"

You can still work around this issue using triple quotes, but only in the case that your variable itself does not contain triple quotes, for example:

x = """${myvariable}"""

If you wish to use this feature, it is strongly recommended to avoid such characters as quotes, parentheses, and so on in the body of your variable.