Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62594

Scanning private repos of GitHub user accounts with GitHub App credentials fails

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Duplicate
    • Labels:
    • Environment:
      GitHub API Plugin 1.112.0
      GitHub Branch Source Plugin 2.8.0
      GitHub Plugin 1.30.0

      Docker image jenkins/jenkins:lts
      DIGEST:sha256:83df661d1a2ad921323868ca48f432b175b039bb9e16be0209c0253f3186f25e
    • Similar Issues:

      Description

      In the “New Item“ view, the description for the plugin is as follows:

      Scans a GitHub organization (or user account) for all repositories […]

      However, private repositories belonging to GitHub user accounts are not found if GitHub App credentials are used. The scan only works using personal access tokens or password authentication.

        Attachments

          Issue Links

            Activity

            sadeghian Sascha Sadeghian created issue -
            sadeghian Sascha Sadeghian made changes -
            Field Original Value New Value
            Assignee Sascha Sadeghian [ sadeghian ]
            sadeghian Sascha Sadeghian made changes -
            Description In the “New Item“ view, the description for the plugin states the following:

            ??Scans a GitHub organization (or user account) for all repositories […]??

            However, private repositories belonging to GitHub user accounts are not found if GitHub App credentials are used. The scan only works using personal access tokens or password authentication.
            In the “New Item“ view, the description for the plugin is as follows:

            ??Scans a GitHub organization (or user account) for all repositories […]??

            However, private repositories belonging to GitHub user accounts are not found if GitHub App credentials are used. The scan only works using personal access tokens or password authentication.
            sadeghian Sascha Sadeghian made changes -
            Assignee Sascha Sadeghian [ sadeghian ]
            Hide
            bitwiseman Liam Newman added a comment -

            Sascha Sadeghian
            Could you be more specific about your Jenkins and GitHub repo configuration?
            For example, do the private user repositories have the GitHub App installed? If not, then it is reasonable that the user's private repo's won't be found - the App doesn't have permission to see it.

            Show
            bitwiseman Liam Newman added a comment - Sascha Sadeghian Could you be more specific about your Jenkins and GitHub repo configuration? For example, do the private user repositories have the GitHub App installed? If not, then it is reasonable that the user's private repo's won't be found - the App doesn't have permission to see it.
            Hide
            sadeghian Sascha Sadeghian added a comment - - edited

            Liam Newman

            Yes, I have installed the GitHub App on my personal account, using the install guide:

            https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc

            I have given it read access to all repositories:

              User Account > Settings > Applications > Installed GitHub Apps > (App) > Configure

              ✓ Read access to code
              ✓ Read access to commit statuses, metadata, and pull requests
              ◉ All repositories

            After the installation, the App is visible in the private repository.

              Repository > Settings > Integrations > Installed GitHub Apps > (App) > Configure

            There were no further steps necessary for this. Authentication in Jenkins also works – it is just that the scan reports 0 processed repositories:

              [Tue Jun 09 16:01:58 UTC 2020] Starting organization scan...
              [Tue Jun 09 16:01:58 UTC 2020] Updating actions...
              Looking up details of $user...
              Organization URL: $full_name
              [Tue Jun 09 16:01:58 UTC 2020] Consulting GitHub Organization
              16:01:58 Connecting to https://api.github.com using xxxxx/******
              Looking up repositories of user $user
              16:01:59 0 repositories were processed
              [Tue Jun 09 16:01:59 UTC 2020] Finished organization scan. Scan took 1 sec
              Finished: SUCCESS

            If I repeat the same for an organization, all private and public repos belonging to the org are found (and scanned).

            Show
            sadeghian Sascha Sadeghian added a comment - - edited Liam Newman Yes, I have installed the GitHub App on my personal account, using the install guide: https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc I have given it read access to all repositories:   User Account > Settings > Applications > Installed GitHub Apps > (App) > Configure   ✓ Read access to code   ✓ Read access to commit statuses, metadata, and pull requests   ◉  All repositories After the installation, the App is visible in the private repository.   Repository > Settings > Integrations > Installed GitHub Apps > (App) > Configure There were no further steps necessary for this. Authentication in Jenkins also works – it is just that the scan reports 0 processed repositories:   [Tue Jun 09 16:01:58 UTC 2020] Starting organization scan...   [Tue Jun 09 16:01:58 UTC 2020] Updating actions...   Looking up details of $user...   Organization URL: $full_name   [Tue Jun 09 16:01:58 UTC 2020] Consulting GitHub Organization   16:01:58 Connecting to https://api.github.com using xxxxx/******   Looking up repositories of user $user   16:01:59 0 repositories were processed   [Tue Jun 09 16:01:59 UTC 2020] Finished organization scan. Scan took 1 sec   Finished: SUCCESS If I repeat the same for an organization, all private and public repos belonging to the org are found (and scanned).
            Hide
            bitwiseman Liam Newman added a comment -

            Oh, I see! That helps clarify what is going on. Something is assuming orgs-only.

            Show
            bitwiseman Liam Newman added a comment - Oh, I see! That helps clarify what is going on. Something is assuming orgs-only.
            Hide
            bitwiseman Liam Newman added a comment -

            Sascha Sadeghian
            What happens if you use an oauth token instead of app credentials?
            (To do this you create a user name and password credential, but pass the token as the password.

            Show
            bitwiseman Liam Newman added a comment - Sascha Sadeghian What happens if you use an oauth token instead of app credentials? (To do this you create a user name and password credential, but pass the token as the password.
            Hide
            sadeghian Sascha Sadeghian added a comment - - edited

            Liam Newman

            I tried the following combinations:

            • Repo visibility: public | private
            • Owner: profile | organization
            • Authentication: username:password | username:token | GitHub App

            The scan only fails for private repos owned by a profile, when authenticating via GitHub App.

            Show
            sadeghian Sascha Sadeghian added a comment - - edited Liam Newman I tried the following combinations: Repo visibility: public | private Owner: profile | organization Authentication: username:password | username:token | GitHub App The scan only fails for private repos owned by a profile, when authenticating via GitHub App.
            Hide
            bitwiseman Liam Newman added a comment -

            Sascha Sadeghian
            Thanks for the information. That will help find the code path that is causing this.

            Show
            bitwiseman Liam Newman added a comment - Sascha Sadeghian Thanks for the information. That will help find the code path that is causing this.
            sergeiwaigant Sergei Waigant made changes -
            Attachment private-repo-stacktrace.txt [ 51918 ]
            Hide
            sergeiwaigant Sergei Waigant added a comment -

            We have the exact same situation when using GitHub Enterprise 2.20+

            The GitHub App Credentials in Jenkins are not usable for private repositories.

            Stack Trace attached which is coming when selecting the GitHub App credentials in a multi branch pipeline job.
            private-repo-stacktrace.txt

             

            Show
            sergeiwaigant Sergei Waigant added a comment - We have the exact same situation when using GitHub Enterprise 2.20+ The GitHub App Credentials in Jenkins are not usable for private repositories. Stack Trace attached which is coming when selecting the GitHub App credentials in a multi branch pipeline job. private-repo-stacktrace.txt  
            Hide
            gaikanomer9 Nikita Zavyalov added a comment -

            I can also confirm the bug. We are using GitHub Enterprise as well.

            I used the secret from the GitHub App to manually make connections to GitHub API and it was able to retrieve internal repositories. When using the same secret with the plugin it can only find the public repos.

            Tested on the latest version and 2.7.1

            Show
            gaikanomer9 Nikita Zavyalov added a comment - I can also confirm the bug. We are using GitHub Enterprise as well. I used the secret from the GitHub App to manually make connections to GitHub API and it was able to retrieve internal repositories. When using the same secret with the plugin it can only find the public repos. Tested on the latest version and 2.7.1
            Hide
            sergeiwaigant Sergei Waigant added a comment -

            I was surprised that the private repositories were readable for another installation...
            Now I was running into same problem and the root cause was, that the app was installed into two different organisations.
            If you want to interact with a private repository, you need to set the "owner" in the GitHub App Credential in Jenkins to the particular organisation...

            I think that issue is related to https://issues.jenkins-ci.org/browse/JENKINS-62220

            We are on GitHub Branch Source 2.8.3

            Show
            sergeiwaigant Sergei Waigant added a comment - I was surprised that the private repositories were readable for another installation... Now I was running into same problem and the root cause was, that the app was installed into two different organisations. If you want to interact with a private repository, you need to set the "owner" in the GitHub App Credential in Jenkins to the particular organisation... I think that issue is related to  https://issues.jenkins-ci.org/browse/JENKINS-62220 We are on GitHub Branch Source 2.8.3
            Hide
            triangulumlabs Triangulum Labs added a comment -

            I also so have exact problems that Sascha Sadeghian is facing, any progress on this?

            Show
            triangulumlabs Triangulum Labs added a comment - I also so have exact problems that Sascha Sadeghian is facing, any progress on this?
            Hide
            llibicpep Dmytro Kryvenko added a comment -

            It seems like https://issues.jenkins.io/browse/JENKINS-62220 is the root cause for this issue.

            Also see my comment here for more details https://issues.jenkins.io/browse/JENKINS-34612?focusedCommentId=401331&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-401331

            I have filed a separate issue https://issues.jenkins.io/browse/JENKINS-64249 to fix documentation as it is confusing as it is right now.

            I am closing this issue as duplicate in favor for 62220 - lets focus discussion there.

            Show
            llibicpep Dmytro Kryvenko added a comment - It seems like https://issues.jenkins.io/browse/JENKINS-62220  is the root cause for this issue. Also see my comment here for more details https://issues.jenkins.io/browse/JENKINS-34612?focusedCommentId=401331&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-401331 I have filed a separate issue https://issues.jenkins.io/browse/JENKINS-64249  to fix documentation as it is confusing as it is right now. I am closing this issue as duplicate in favor for 62220 - lets focus discussion there.
            llibicpep Dmytro Kryvenko made changes -
            Link This issue duplicates JENKINS-62220 [ JENKINS-62220 ]
            llibicpep Dmytro Kryvenko made changes -
            Resolution Duplicate [ 3 ]
            Status Open [ 1 ] Closed [ 6 ]

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              sadeghian Sascha Sadeghian
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: