Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64803

Shared Library using folder-scoped credential fails to authenticate when using tags

XMLWordPrintable

    • 4.10.0

      Loading a shared library (checkout) from a tag does not use the provided credentials, if they're specified via the folder plugin:

      lib = library(
    identifier: "my_repo@tag",
    retriever: modernSCM(
        [$class: 'GitSCMSource',
        remote: "https://path/to/my_repo.git",
        credentialsId: 'my_user_credentials_in_folder_scope'],
        traits: [gitBranchDiscovery(), gitTagDiscovery()]
    )
)

      When using a branch name as version (identifier: "my_repo@branch_name"), the library is checked out correctly:

      Running in Durability level: MAX_SURVIVABILITY
[Pipeline] Start of Pipeline
[Pipeline] echo
Using legacySCM
[Pipeline] library
Loading library my_repo@master
Selected Git installation does not exist. Using Default
The recommended git tool is: NONE
using credential test
 > git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
 > git config remote.origin.url https://path/to/my_repo.git # timeout=10
Fetching upstream changes from https://path/to/my_repo.git
 > git --version # timeout=10
 > git --version # 'git version 2.11.0'
using GIT_ASKPASS to set credentials 
 > git fetch --tags --progress -- https://path/to/my_repo.git +refs/heads/*:refs/remotes/origin/* # timeout=10
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
Checking out Revision 43ecdf79f1e479252fd29d429eba29323364bf46 (refs/remotes/origin/master)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f 43ecdf79f1e479252fd29d429eba29323364bf46 # timeout=10
Commit message: "Merge branch 'release/2.2.0'"
 > git rev-list --no-walk 43ecdf79f1e479252fd29d429eba29323364bf46 # timeout=10
[Pipeline] End of Pipeline
Finished: SUCCESS

      But when using a tag, the checkout fails with the access being denied:

      Running in Durability level: MAX_SURVIVABILITY
[Pipeline] Start of Pipeline
[Pipeline] echo
Using modernSCM
[Pipeline] library
Loading library my_repo@1.1.0
Attempting to resolve 1.1.0 from remote references...
 > git --version # timeout=10
 > git --version # 'git version 2.11.0'
using GIT_ASKPASS to set credentials 
 > git ls-remote -h -t -- https://path/to/my_repo.git # timeout=10
Found match: refs/tags/1.1.0 revision 81fc8536284ca1c5fb526127b2b9e3349722f39c
Resolving tag commit... (remote references may be a lightweight tag or an annotated tag)
 > git rev-parse --is-inside-work-tree # timeout=10
Setting origin to https://path/to/my_repo.git
 > git config remote.origin.url https://path/to/my_repo.git # timeout=10
Fetching origin...
Fetching upstream changes from origin
 > git --version # timeout=10
 > git --version # 'git version 2.11.0'
 > git config --get remote.origin.url # timeout=10
 > git fetch --tags --progress -- origin +refs/heads/*:refs/remotes/origin/* # timeout=10
ERROR: Checkout failed
hudson.plugins.git.GitException: Command "git fetch --tags --progress -- origin +refs/heads/*:refs/remotes/origin/*" returned status code 128:
stdout: 
stderr: remote: HTTP Basic: Access denied
fatal: Authentication failed for 'https://path/to/my_repo.git/'

	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2450)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2051)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:84)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:573)
	at jenkins.plugins.git.AbstractGitSCMSource.doRetrieve(AbstractGitSCMSource.java:370)
	at jenkins.plugins.git.AbstractGitSCMSource.doRetrieve(AbstractGitSCMSource.java:330)
	at jenkins.plugins.git.AbstractGitSCMSource.retrieve(AbstractGitSCMSource.java:956)
	at jenkins.scm.api.SCMSource.fetch(SCMSource.java:636)
	at org.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.lambda$retrieve$0(SCMSourceRetriever.java:92)
	at org.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.retrySCMOperation(SCMSourceRetriever.java:107)
	at org.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.retrieve(SCMSourceRetriever.java:92)
	at org.jenkinsci.plugins.workflow.libs.LibraryAdder.retrieve(LibraryAdder.java:157)
	at org.jenkinsci.plugins.workflow.libs.LibraryStep$Execution.run(LibraryStep.java:205)
	at org.jenkinsci.plugins.workflow.libs.LibraryStep$Execution.run(LibraryStep.java:154)
	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47)
	at hudson.security.ACL.impersonate(ACL.java:367)
	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

      The issue only occurs with folder scoped credentials. When specifying the credential in the global scope instead of folder scope, we can also checkout the tag as intended.

            allan_burdajewicz Allan BURDAJEWICZ
            degelma Marian Degel
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: