Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62594

Scanning private repos of GitHub user accounts with GitHub App credentials fails

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Minor Minor
    • GitHub API Plugin 1.112.0
      GitHub Branch Source Plugin 2.8.0
      GitHub Plugin 1.30.0

      Docker image jenkins/jenkins:lts
      DIGEST:sha256:83df661d1a2ad921323868ca48f432b175b039bb9e16be0209c0253f3186f25e

      In the “New Item“ view, the description for the plugin is as follows:

      Scans a GitHub organization (or user account) for all repositories […]

      However, private repositories belonging to GitHub user accounts are not found if GitHub App credentials are used. The scan only works using personal access tokens or password authentication.

          [JENKINS-62594] Scanning private repos of GitHub user accounts with GitHub App credentials fails

          Sascha Sadeghian added a comment - - edited

          bitwiseman

          Yes, I have installed the GitHub App on my personal account, using the install guide:

          https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc

          I have given it read access to all repositories:

            User Account > Settings > Applications > Installed GitHub Apps > (App) > Configure

            ✓ Read access to code
            ✓ Read access to commit statuses, metadata, and pull requests
            ◉ All repositories

          After the installation, the App is visible in the private repository.

            Repository > Settings > Integrations > Installed GitHub Apps > (App) > Configure

          There were no further steps necessary for this. Authentication in Jenkins also works – it is just that the scan reports 0 processed repositories:

            [Tue Jun 09 16:01:58 UTC 2020] Starting organization scan...
            [Tue Jun 09 16:01:58 UTC 2020] Updating actions...
            Looking up details of $user...
            Organization URL: $full_name
            [Tue Jun 09 16:01:58 UTC 2020] Consulting GitHub Organization
            16:01:58 Connecting to https://api.github.com using xxxxx/******
            Looking up repositories of user $user
            16:01:59 0 repositories were processed
            [Tue Jun 09 16:01:59 UTC 2020] Finished organization scan. Scan took 1 sec
            Finished: SUCCESS

          If I repeat the same for an organization, all private and public repos belonging to the org are found (and scanned).

          Sascha Sadeghian added a comment - - edited bitwiseman Yes, I have installed the GitHub App on my personal account, using the install guide: https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc I have given it read access to all repositories:   User Account > Settings > Applications > Installed GitHub Apps > (App) > Configure   ✓ Read access to code   ✓ Read access to commit statuses, metadata, and pull requests   ◉  All repositories After the installation, the App is visible in the private repository.   Repository > Settings > Integrations > Installed GitHub Apps > (App) > Configure There were no further steps necessary for this. Authentication in Jenkins also works – it is just that the scan reports 0 processed repositories:   [Tue Jun 09 16:01:58 UTC 2020] Starting organization scan...   [Tue Jun 09 16:01:58 UTC 2020] Updating actions...   Looking up details of $user...   Organization URL: $full_name   [Tue Jun 09 16:01:58 UTC 2020] Consulting GitHub Organization   16:01:58 Connecting to https://api.github.com using xxxxx/******   Looking up repositories of user $user   16:01:59 0 repositories were processed   [Tue Jun 09 16:01:59 UTC 2020] Finished organization scan. Scan took 1 sec   Finished: SUCCESS If I repeat the same for an organization, all private and public repos belonging to the org are found (and scanned).

          Liam Newman added a comment -

          Oh, I see! That helps clarify what is going on. Something is assuming orgs-only.

          Liam Newman added a comment - Oh, I see! That helps clarify what is going on. Something is assuming orgs-only.

          Liam Newman added a comment -

          sadeghian
          What happens if you use an oauth token instead of app credentials?
          (To do this you create a user name and password credential, but pass the token as the password.

          Liam Newman added a comment - sadeghian What happens if you use an oauth token instead of app credentials? (To do this you create a user name and password credential, but pass the token as the password.

          Sascha Sadeghian added a comment - - edited

          bitwiseman

          I tried the following combinations:

          • Repo visibility: public | private
          • Owner: profile | organization
          • Authentication: username:password | username:token | GitHub App

          The scan only fails for private repos owned by a profile, when authenticating via GitHub App.

          Sascha Sadeghian added a comment - - edited bitwiseman I tried the following combinations: Repo visibility: public | private Owner: profile | organization Authentication: username:password | username:token | GitHub App The scan only fails for private repos owned by a profile, when authenticating via GitHub App.

          Liam Newman added a comment -

          sadeghian
          Thanks for the information. That will help find the code path that is causing this.

          Liam Newman added a comment - sadeghian Thanks for the information. That will help find the code path that is causing this.

          We have the exact same situation when using GitHub Enterprise 2.20+

          The GitHub App Credentials in Jenkins are not usable for private repositories.

          Stack Trace attached which is coming when selecting the GitHub App credentials in a multi branch pipeline job.
          private-repo-stacktrace.txt

           

          Sergei Waigant added a comment - We have the exact same situation when using GitHub Enterprise 2.20+ The GitHub App Credentials in Jenkins are not usable for private repositories. Stack Trace attached which is coming when selecting the GitHub App credentials in a multi branch pipeline job. private-repo-stacktrace.txt  

          I can also confirm the bug. We are using GitHub Enterprise as well.

          I used the secret from the GitHub App to manually make connections to GitHub API and it was able to retrieve internal repositories. When using the same secret with the plugin it can only find the public repos.

          Tested on the latest version and 2.7.1

          Nikita Zavyalov added a comment - I can also confirm the bug. We are using GitHub Enterprise as well. I used the secret from the GitHub App to manually make connections to GitHub API and it was able to retrieve internal repositories. When using the same secret with the plugin it can only find the public repos. Tested on the latest version and 2.7.1

          I was surprised that the private repositories were readable for another installation...
          Now I was running into same problem and the root cause was, that the app was installed into two different organisations.
          If you want to interact with a private repository, you need to set the "owner" in the GitHub App Credential in Jenkins to the particular organisation...

          I think that issue is related to https://issues.jenkins-ci.org/browse/JENKINS-62220

          We are on GitHub Branch Source 2.8.3

          Sergei Waigant added a comment - I was surprised that the private repositories were readable for another installation... Now I was running into same problem and the root cause was, that the app was installed into two different organisations. If you want to interact with a private repository, you need to set the "owner" in the GitHub App Credential in Jenkins to the particular organisation... I think that issue is related to  https://issues.jenkins-ci.org/browse/JENKINS-62220 We are on GitHub Branch Source 2.8.3

          I also so have exact problems that sadeghian is facing, any progress on this?

          Triangulum Labs added a comment - I also so have exact problems that sadeghian is facing, any progress on this?

          Dee Kryvenko added a comment -

          It seems like https://issues.jenkins.io/browse/JENKINS-62220 is the root cause for this issue.

          Also see my comment here for more details https://issues.jenkins.io/browse/JENKINS-34612?focusedCommentId=401331&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-401331

          I have filed a separate issue https://issues.jenkins.io/browse/JENKINS-64249 to fix documentation as it is confusing as it is right now.

          I am closing this issue as duplicate in favor for 62220 - lets focus discussion there.

          Dee Kryvenko added a comment - It seems like https://issues.jenkins.io/browse/JENKINS-62220  is the root cause for this issue. Also see my comment here for more details https://issues.jenkins.io/browse/JENKINS-34612?focusedCommentId=401331&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-401331 I have filed a separate issue https://issues.jenkins.io/browse/JENKINS-64249  to fix documentation as it is confusing as it is right now. I am closing this issue as duplicate in favor for 62220 - lets focus discussion there.

            Unassigned Unassigned
            sadeghian Sascha Sadeghian
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: