Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59016

GitHub branch source 2.5.5 & newer ignore domain limited credentials when scanning

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Trivial
    • Resolution: Fixed
    • Labels:
      None
    • Environment:
      Jenkins 2.176.2
      GitHub Branch Source plugin 2.5.6
      Git plugin 3.12.0
    • Similar Issues:

      Description

      The GitHub branch source plugin uses the GitHub REST API to scan remote repositories for changes. I had incorrectly defined my GitHub credential in a credential domain that only included the github.com domain. The GitHub branch source plugin allowed me to select that credential, but then would not use that credential because it was making the request to api.github.com rather than github.com.

      My working credential domains had defined the domain as github.com,*.github.com. That working definition matched api.github.com.

      My incorrect credential domain was specified as only including github.com. With that incorrect domain specificiation, the repository scan log would report:

      Started
      [Tue Aug 20 13:00:40 MDT 2019] Starting branch indexing...
      13:00:40 Connecting to https://api.github.com with no credentials, anonymous access
      

      Without the credentials, scanning of private repositories is not allowed and scanning of public repositories is limited by a much smaller value for the GitHub API rate limit.

      Version Result
      2.5.6 Credentials ignored if assigned incorrect domain
      2.5.5 Credentials ignored if assigned incorrect domain
      2.5.4 Credentials honored if assigned incorrect domain
      2.5.3 Credentials honored if assigned incorrect domain
      2.4.5 Credentials honored if assigned incorrect domain
      2.3.6 Credentials honored if assigned incorrect domain

      Refer to the JENKINS-59016 branch in my jenkins-bugs repo for the Jenkins Pipeline that I use to test this. The jobs are run from inside a Docker image that I use which includes credentials used to access the repository.

      Credential domains usually only control user interface visibility of the credential, not job internal visibility of the credential. Beginning with GitHub branch source 2.5.5, the credential domain also controls job internal visibility of the credential.

        Attachments

          Activity

            People

            Assignee:
            jtaboada Jose Blas Camacho Taboada
            Reporter:
            markewaite Mark Waite
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: