Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59016

GitHub branch source 2.5.5 & newer ignore domain limited credentials when scanning

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Trivial
    • Resolution: Fixed
    • Labels:
      None
    • Environment:
      Jenkins 2.176.2
      GitHub Branch Source plugin 2.5.6
      Git plugin 3.12.0
    • Similar Issues:

      Description

      The GitHub branch source plugin uses the GitHub REST API to scan remote repositories for changes. I had incorrectly defined my GitHub credential in a credential domain that only included the github.com domain. The GitHub branch source plugin allowed me to select that credential, but then would not use that credential because it was making the request to api.github.com rather than github.com.

      My working credential domains had defined the domain as github.com,*.github.com. That working definition matched api.github.com.

      My incorrect credential domain was specified as only including github.com. With that incorrect domain specificiation, the repository scan log would report:

      Started
      [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
      13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
      

      Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

      Version Result
      2.5.6 Credentials ignored if assigned incorrect domain
      2.5.5 Credentials ignored if assigned incorrect domain
      2.5.4 Credentials honored if assigned incorrect domain
      2.5.3 Credentials honored if assigned incorrect domain
      2.4.5 Credentials honored if assigned incorrect domain
      2.3.6 Credentials honored if assigned incorrect domain

      Refer to the JENKINS-59016 branch in my jenkins-bugs repo for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.

      Credential domains usually only control user interface visibility of the credential, not job internal visibility of the credential. Beginning with GitHub branch source 2.5.5, the credential domain also controls job internal visibility of the credential.

        Attachments

          Activity

          markewaite Mark Waite created issue -
          markewaite Mark Waite made changes -
          Field Original Value New Value
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.
          If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          The problem does not appear in GitHub branch source plugin 2.5.3.
          markewaite Mark Waite made changes -
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          The problem does not appear in GitHub branch source plugin 2.5.3.
          If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.
          markewaite Mark Waite made changes -
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.
          If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          The problem also exists in GitHub branch source plugin 2.5.3 and in GitHub branch source plugin 2.3.6 from a year ago. This is a long-standing problem and not a recent regression.
          markewaite Mark Waite made changes -
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          The problem also exists in GitHub branch source plugin 2.5.3 and in GitHub branch source plugin 2.3.6 from a year ago. This is a long-standing problem and not a recent regression.
          If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          The problem also exists in GitHub branch source plugin 2.5.3. It does not seem to be an issue in GitHub branch source plugin 2.3.6 from a year ago. Needs more investigation to narrow the release which introduced the regression.
          markewaite Mark Waite made changes -
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          The problem also exists in GitHub branch source plugin 2.5.3. It does not seem to be an issue in GitHub branch source plugin 2.3.6 from a year ago. Needs more investigation to narrow the release which introduced the regression.
          If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4||Credentials honored|
          ||2.5.3||Credentials honored|
          ||2.4.5||Credentials honored|
          ||2.3.6||Credentials honored|
          markewaite Mark Waite made changes -
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4||Credentials honored|
          ||2.5.3||Credentials honored|
          ||2.4.5||Credentials honored|
          ||2.3.6||Credentials honored|
          If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|
          markewaite Mark Waite made changes -
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|
          If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          markewaite Mark Waite made changes -
          Priority Major [ 3 ] Critical [ 2 ]
          markewaite Mark Waite made changes -
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with *no credentials*, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          markewaite Mark Waite made changes -
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with *no credentials*, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          markewaite Mark Waite made changes -
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan does not use the credential and the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          markewaite Mark Waite made changes -
          Summary GitHub branch source won't scan with folder scoped credentials GitHub branch source scan ignores credentials based on credential domain
          markewaite Mark Waite made changes -
          Description If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan does not use the credential and the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          The GitHub branch source plugin uses the GitHub REST API to scan remote repositories for changes. I had incorrectly defined my GitHub credential in a credential domain that only included to If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan does not use the credential and the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          markewaite Mark Waite made changes -
          Description The GitHub branch source plugin uses the GitHub REST API to scan remote repositories for changes. I had incorrectly defined my GitHub credential in a credential domain that only included to If I define a credential at the root level, then the GitHub branch source can use the credential to scan the repository for branches. If I define the credential in a folder, then the GitHub branch source accepts the credential, but then the scan does not use the credential and the scan log reports:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored|
          ||2.5.5||Credentials ignored|
          ||2.5.4|Credentials honored|
          ||2.5.3|Credentials honored|
          ||2.4.5|Credentials honored|
          ||2.3.6|Credentials honored|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          The GitHub branch source plugin uses the GitHub REST API to scan remote repositories for changes. I had incorrectly defined my GitHub credential in a credential domain that only included the {{github.com}} domain. The GitHub branch source plugin allowed me to select that credential, but then would not use that credential because it was making the request to {{api.github.com}} rather than {{github.com}}.

          My working credential domains had defined the domain as {{github.com,*.github.com}}. That working definition matched {{api.github.com}}.

          When the incorrect credential domain was specified, the repository scan log would report:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored if assigned incorrect domain|
          ||2.5.5||Credentials ignored if assigned incorrect domain|
          ||2.5.4|Credentials honored if assigned incorrect domain|
          ||2.5.3|Credentials honored if assigned incorrect domain|
          ||2.4.5|Credentials honored if assigned incorrect domain|
          ||2.3.6|Credentials honored if assigned incorrect domain|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          markewaite Mark Waite made changes -
          Priority Critical [ 2 ] Trivial [ 5 ]
          markewaite Mark Waite made changes -
          Description The GitHub branch source plugin uses the GitHub REST API to scan remote repositories for changes. I had incorrectly defined my GitHub credential in a credential domain that only included the {{github.com}} domain. The GitHub branch source plugin allowed me to select that credential, but then would not use that credential because it was making the request to {{api.github.com}} rather than {{github.com}}.

          My working credential domains had defined the domain as {{github.com,*.github.com}}. That working definition matched {{api.github.com}}.

          When the incorrect credential domain was specified, the repository scan log would report:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored if assigned incorrect domain|
          ||2.5.5||Credentials ignored if assigned incorrect domain|
          ||2.5.4|Credentials honored if assigned incorrect domain|
          ||2.5.3|Credentials honored if assigned incorrect domain|
          ||2.4.5|Credentials honored if assigned incorrect domain|
          ||2.3.6|Credentials honored if assigned incorrect domain|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          The GitHub branch source plugin uses the GitHub REST API to scan remote repositories for changes. I had incorrectly defined my GitHub credential in a credential domain that only included the {{github.com}} domain. The GitHub branch source plugin allowed me to select that credential, but then would not use that credential because it was making the request to {{api.github.com}} rather than {{github.com}}.

          My working credential domains had defined the domain as {{github.com,*.github.com}}. That working definition matched {{api.github.com}}.

          My incorrect credential domain was specified as only including {{github.com}}. With that incorrect domain specificiation, the repository scan log would report:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored if assigned incorrect domain|
          ||2.5.5||Credentials ignored if assigned incorrect domain|
          ||2.5.4|Credentials honored if assigned incorrect domain|
          ||2.5.3|Credentials honored if assigned incorrect domain|
          ||2.4.5|Credentials honored if assigned incorrect domain|
          ||2.3.6|Credentials honored if assigned incorrect domain|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          markewaite Mark Waite made changes -
          Comment [ Based on the change history between 2.5.4 and 2.5.5, I assume that [~lnewman] or [~dnusbaum] or [~jtaboada] are the likely ones to investigate the code. ]
          markewaite Mark Waite made changes -
          Summary GitHub branch source scan ignores credentials based on credential domain GitHub branch source 2.5.5 and newer ignores credentials based on credential domain when scanning repositories
          markewaite Mark Waite made changes -
          Summary GitHub branch source 2.5.5 and newer ignores credentials based on credential domain when scanning repositories GitHub branch source 2.5.5 & newer correctly ignore domain limited credentials when scanning
          markewaite Mark Waite made changes -
          Summary GitHub branch source 2.5.5 & newer correctly ignore domain limited credentials when scanning GitHub branch source 2.5.5 & newer ignore domain limited credentials when scanning
          markewaite Mark Waite made changes -
          Description The GitHub branch source plugin uses the GitHub REST API to scan remote repositories for changes. I had incorrectly defined my GitHub credential in a credential domain that only included the {{github.com}} domain. The GitHub branch source plugin allowed me to select that credential, but then would not use that credential because it was making the request to {{api.github.com}} rather than {{github.com}}.

          My working credential domains had defined the domain as {{github.com,*.github.com}}. That working definition matched {{api.github.com}}.

          My incorrect credential domain was specified as only including {{github.com}}. With that incorrect domain specificiation, the repository scan log would report:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored if assigned incorrect domain|
          ||2.5.5||Credentials ignored if assigned incorrect domain|
          ||2.5.4|Credentials honored if assigned incorrect domain|
          ||2.5.3|Credentials honored if assigned incorrect domain|
          ||2.4.5|Credentials honored if assigned incorrect domain|
          ||2.3.6|Credentials honored if assigned incorrect domain|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.
          The GitHub branch source plugin uses the GitHub REST API to scan remote repositories for changes. I had incorrectly defined my GitHub credential in a credential domain that only included the {{github.com}} domain. The GitHub branch source plugin allowed me to select that credential, but then would not use that credential because it was making the request to {{api.github.com}} rather than {{github.com}}.

          My working credential domains had defined the domain as {{github.com,*.github.com}}. That working definition matched {{api.github.com}}.

          My incorrect credential domain was specified as only including {{github.com}}. With that incorrect domain specificiation, the repository scan log would report:

          {code}
          Started
          [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
          13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
          {code}

          Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

          ||Version||Result||
          ||2.5.6||Credentials ignored if assigned incorrect domain|
          ||2.5.5||Credentials ignored if assigned incorrect domain|
          ||2.5.4|Credentials honored if assigned incorrect domain|
          ||2.5.3|Credentials honored if assigned incorrect domain|
          ||2.4.5|Credentials honored if assigned incorrect domain|
          ||2.3.6|Credentials honored if assigned incorrect domain|

          Refer to the [JENKINS-59016 branch in my jenkins-bugs repo|https://github.com/MarkEWaite/jenkins-bugs/tree/JENKINS-59016] for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.

          Credential domains usually only control user interface visibility of the credential, not job internal visibility of the credential. Beginning with GitHub branch source 2.5.5, the credential domain also controls job internal visibility of the credential.
          jtaboada Jose Blas Camacho Taboada made changes -
          Assignee Jose Blas Camacho Taboada [ jtaboada ]
          jtaboada Jose Blas Camacho Taboada made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          jtaboada Jose Blas Camacho Taboada made changes -
          Status In Progress [ 3 ] In Review [ 10005 ]
          jtaboada Jose Blas Camacho Taboada made changes -
          Resolution Fixed [ 1 ]
          Status In Review [ 10005 ] Resolved [ 5 ]

            People

            Assignee:
            jtaboada Jose Blas Camacho Taboada
            Reporter:
            markewaite Mark Waite
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: