-
Type:
New Feature
-
Resolution: Unresolved
-
Priority:
Minor
-
Component/s: git-plugin, github-branch-source-plugin
The github branch source plugin introduced support for "github app" authentication in 2020:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/
It is possible to use these access keys as git credentials, as outlined in github's documentation. This has a number of advantages over deploy keys:
- They are not rate limited the same way other keys are
- Github deploy keys can only be assigned to one project where github apps can be applied to several projects
It is possible to use the credentials by wrapping them in a withCredentials block like so:
withCredentials([usernamePassword(credentialsId: 'github-app-credentials', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_ACCESS_TOKEN')]) { checkout ([ $class: 'GitSCM', userRemoteConfigs: [[ credentialsId: '', url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git" ]],
However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this.
It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior.
This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation.
It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there:
