-
New Feature
-
Resolution: Fixed
-
Major
-
None
To my understanding currently the github-branch-source plugins always requires GitHub user credentials / tokens to authenticate.
I'd suggest to add authenticating Jenkins to GitHub as a GitHub App too.
Why is this better than the current way:
- GitHub Apps can be granted very fine grained permissions
- GitHub Apps can be added either to a whole org, or just to selected repos
- The app uses a key pair to then get temporary credentials, so leaked creds to user are only valid for a short period of time
- Higher API limits! (probably the most important one for bigger orgs)
This is specifically NOT about authenticating users against GitHub, but for Authenticating Jenkins itself against GitHub
References: https://developer.github.com/apps/differences-between-apps/
- relates to
-
JENKINS-60901 GitHub manages hooks even when it has not been configured to do it
-
- Open
-
-
JENKINS-60480 github is deprecating basic authentication using password
-
- Closed
-
-
JENKINS-62220 GitHub App to support credentials with multiple organizations
-
- Resolved
-
- links to
The exact steps are described at https://developer.github.com/apps/building-github-apps/authenticating-with-github-apps/#authenticating-as-a-github-app
In terms of things that are needed for Jenkins:
I'm not sure how exactly the authentication currently works in the context of this plugin. The change to use GitHub App tokens for other things i've worked on often wasn't too difficult.
I could help with writing docs and testing of this.