-
New Feature
-
Resolution: Unresolved
-
Minor
-
None
The github branch source plugin introduced support for "github app" authentication in 2020:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/
It is possible to use these access keys as git credentials, as outlined in github's documentation. This has a number of advantages over deploy keys:
- They are not rate limited the same way other keys are
- Github deploy keys can only be assigned to one project where github apps can be applied to several projects
It is possible to use the credentials by wrapping them in a withCredentials block like so:
withCredentials([usernamePassword(credentialsId: 'github-app-credentials', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_ACCESS_TOKEN')]) { checkout ([ $class: 'GitSCM', userRemoteConfigs: [[ credentialsId: '', url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git" ]],
However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this.
It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior.
This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation.
It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there:
[JENKINS-67600] Support checkout with Github App credentials
Assignee | Original: Mark Waite [ markewaite ] |
Description |
Original:
The gitlab branch source plugin introduced support for[ "github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/ It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys: * They are not rate limited * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so: {code} withCredentials([usernamePassword(credentialsId: 'github-app-credentials', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_ACCESS_TOKEN')]) { checkout ([ $class: 'GitSCM', userRemoteConfigs: [[ credentialsId: '', url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git" ]], {code} However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this. It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior. This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation. It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there: https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897 |
New:
The gitlab branch source plugin introduced support for ["github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/ It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys: * They are not rate limited * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so: {code} withCredentials([usernamePassword(credentialsId: 'github-app-credentials', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_ACCESS_TOKEN')]) { checkout ([ $class: 'GitSCM', userRemoteConfigs: [[ credentialsId: '', url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git" ]], {code} However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this. It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior. This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation. It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there: https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897 |
Description |
Original:
The gitlab branch source plugin introduced support for ["github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/ It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys: * They are not rate limited * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so: {code} withCredentials([usernamePassword(credentialsId: 'github-app-credentials', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_ACCESS_TOKEN')]) { checkout ([ $class: 'GitSCM', userRemoteConfigs: [[ credentialsId: '', url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git" ]], {code} However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this. It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior. This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation. It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there: https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897 |
New:
The gitlab branch source plugin introduced support for ["github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/ It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys: * They are not rate limited the same way other keys are * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several projects It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so: {code} withCredentials([usernamePassword(credentialsId: 'github-app-credentials', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_ACCESS_TOKEN')]) { checkout ([ $class: 'GitSCM', userRemoteConfigs: [[ credentialsId: '', url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git" ]], {code} However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this. It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior. This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation. It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there: https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897 |
Description |
Original:
The gitlab branch source plugin introduced support for ["github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/ It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys: * They are not rate limited the same way other keys are * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several projects It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so: {code} withCredentials([usernamePassword(credentialsId: 'github-app-credentials', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_ACCESS_TOKEN')]) { checkout ([ $class: 'GitSCM', userRemoteConfigs: [[ credentialsId: '', url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git" ]], {code} However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this. It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior. This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation. It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there: https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897 |
New:
The github branch source plugin introduced support for ["github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/ It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys: * They are not rate limited the same way other keys are * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several projects It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so: {code} withCredentials([usernamePassword(credentialsId: 'github-app-credentials', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_ACCESS_TOKEN')]) { checkout ([ $class: 'GitSCM', userRemoteConfigs: [[ credentialsId: '', url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git" ]], {code} However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this. It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior. This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation. It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there: https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897 |