Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67600

Support checkout with Github App credentials


      The github branch source plugin introduced support for "github app" authentication in 2020:


      It is possible to use these access keys as git credentials, as outlined in github's documentation. This has a number of advantages over deploy keys:

      It is possible to use the credentials by wrapping them in a withCredentials block like so:

          withCredentials([usernamePassword(credentialsId: 'github-app-credentials',
                                      usernameVariable: 'GITHUB_APP',
                                      passwordVariable: 'GITHUB_ACCESS_TOKEN')]) {
              checkout ([
                  $class: 'GitSCM',
                  userRemoteConfigs: [[
                      credentialsId: '',
                  url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git"

      However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this.

      It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior.

      This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation.

      It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there:


            Unassigned Unassigned
            dalvizu Dan Alvizu
            1 Vote for this issue
            3 Start watching this issue