To my understanding currently the github-branch-source plugins always requires GitHub user credentials / tokens to authenticate.

      I'd suggest to add authenticating Jenkins to GitHub as a GitHub App too.

      Why is this better than the current way:

      • GitHub Apps can be granted very fine grained permissions
      • GitHub Apps can be added either to a whole org, or just to selected repos
      • The app uses a key pair to then get temporary credentials, so leaked creds to user are only valid for a short period of time
      • Higher API limits! (probably the most important one for bigger orgs)

      This is specifically NOT about authenticating users against GitHub, but for Authenticating Jenkins itself against GitHub

      References: https://developer.github.com/apps/differences-between-apps/

          [JENKINS-57351] Support for making Jenkins a "GitHub App"

          The exact steps are described at https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/#authenticating-as-a-github-app

          In terms of things that are needed for Jenkins:

          I'm not sure how exactly the authentication currently works in the context of this plugin. The change to use GitHub App tokens for other things i've worked on often wasn't too difficult.

          I could help with writing docs and testing of this.

          Andreas Sieferlinger added a comment - The exact steps are described at  https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/#authenticating-as-a-github-app In terms of things that are needed for Jenkins: A new credential type (storing the private PEM key, App ID, ...) Authenticating as App and fetching Installation Tokens Checking the validity of the installation token and renew if required (they are only short lived) Using the installation token to Authorize (which is just setting the correct HTTP header for all calls to GitHub) (see  https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/#authenticating-as-an-installation  ) I'm not sure how exactly the authentication currently works in the context of this plugin. The change to use GitHub App tokens for other things i've worked on often wasn't too difficult. I could help with writing docs and testing of this.

          Isaac Cohen added a comment -

          This would definitely be very helpful. As a GitHubber, I can tell you that this is the #1 challenge of my customers when integrating Jenkins with GitHub. Another huge benefit of GitHub Apps is that they are not tied to a specific user but rather to the Organization which means you don't need to create a "machine-user" with full access to the entire Organization. Happy to provide more context on this one!

          Isaac Cohen added a comment - This would definitely be very helpful. As a GitHubber, I can tell you that this is the #1 challenge of my customers when integrating Jenkins with GitHub. Another huge benefit of GitHub Apps is that they are not tied to a specific user but rather to the Organization which means you don't need to create a "machine-user" with full access to the entire Organization. Happy to provide more context on this one!

          Isaac Cohen added a comment -

          depends on https://github.com/kohsuke/github-api/pull/522 which would implement GitHub Apps for kohsuke/github-api plugin

          Isaac Cohen added a comment - depends on  https://github.com/kohsuke/github-api/pull/522  which would implement GitHub Apps for kohsuke/github-api plugin

          Hope that PR will go through soon. Maybe bitwiseman could merge it

          Andreas Sieferlinger added a comment - Hope that PR will go through soon. Maybe bitwiseman could merge it

          Paulo Almeida added a comment -

          Hi guys, 

          I'm the author of the pull request that adds Github App integration to the kohsuke/github-api source code. Let me know if I can assist you guys on anything to get it merged.

          Paulo Almeida added a comment - Hi guys,  I'm the author of the pull request that adds Github App integration to the kohsuke/github-api source code. Let me know if I can assist you guys on anything to get it merged.

          Paulo Almeida added a comment -

          webrat issc29 the PR was merged a couple of days ago. Is there anything I can do for helping this new feature to get implemented? (Both directly or indirectly)

          Paulo Almeida added a comment - webrat issc29 the PR was merged a couple of days ago. Is there anything I can do for helping this new feature to get implemented? (Both directly or indirectly)

          This is definitely a most-wanted.

          • as stated, it avoids putting some user credential that can expire
          • it also brings the capability to enrich pull requests with the github check api

          Eric D'ALES DE CORBET added a comment - This is definitely a most-wanted. as stated, it avoids putting some user credential that can expire it also brings the capability to enrich pull requests with the github check api

          Not finished yet, but some have in progress work to have Jenkins act as a GitHub app. See https://github.com/github-api/github-api/issues/570#issuecomment-562200472

          Olivier Jacques added a comment - Not finished yet, but some have in progress work to have Jenkins act as a GitHub app. See https://github.com/github-api/github-api/issues/570#issuecomment-562200472

          Oleg Nenashev added a comment -

          https://github.com/jenkinsci/github-api-plugin release is still blocked due to binary compatibility risks which were introduced in the reccent versions of GitHub API. See https://github.com/github-api/github-api/issues/630 for the feature request.

           

          Oleg Nenashev added a comment - https://github.com/jenkinsci/github-api-plugin  release is still blocked due to binary compatibility risks which were introduced in the reccent versions of GitHub API. See  https://github.com/github-api/github-api/issues/630  for the feature request.  

          Tim Jacomb added a comment -

          I've opened a draft PR for this: https://github.com/jenkinsci/github-branch-source-plugin/pull/269

          It's still blocked on the github-api-plugin release, and probably needs a bit more work on my side, (automated tests are a bit light)

          Tim Jacomb added a comment - I've opened a draft PR for this: https://github.com/jenkinsci/github-branch-source-plugin/pull/269 It's still blocked on the github-api-plugin release, and probably needs a bit more work on my side, (automated tests are a bit light)

            timja Tim Jacomb
            webrat Andreas Sieferlinger
            Votes:
            13 Vote for this issue
            Watchers:
            24 Start watching this issue

              Created:
              Updated:
              Resolved: