The GitHub branch source plugin uses the GitHub REST API to scan remote repositories for changes. I had incorrectly defined my GitHub credential in a credential domain that only included the github.com domain. The GitHub branch source plugin allowed me to select that credential, but then would not use that credential because it was making the request to api.github.com rather than github.com.

My working credential domains had defined the domain as github.com,*.github.com. That working definition matched api.github.com.

My incorrect credential domain was specified as only including github.com. With that incorrect domain specificiation, the repository scan log would report:

Started
[Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
13:00:40 Connecting to https://api.github.com with no credentials, anonymous access

Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

Refer to the JENKINS-59016 branch in my jenkins-bugs repo for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.

Credential domains usually only control user interface visibility of the credential, not job internal visibility of the credential. Beginning with GitHub branch source 2.5.5, the credential domain also controls job internal visibility of the credential.