The github branch source plugin introduced support for "github app" authentication in 2020:

      https://www.jenkins.io/blog/2020/04/16/github-app-authentication/

      It is possible to use these access keys as git credentials, as outlined in github's documentation. This has a number of advantages over deploy keys:

      It is possible to use the credentials by wrapping them in a withCredentials block like so:

          withCredentials([usernamePassword(credentialsId: 'github-app-credentials',
                                      usernameVariable: 'GITHUB_APP',
                                      passwordVariable: 'GITHUB_ACCESS_TOKEN')]) {
              checkout ([
                  $class: 'GitSCM',
                  userRemoteConfigs: [[
                      credentialsId: '',
                  url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git"
                  ]],
      

      However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this.

      It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior.

      This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation.

      It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there:

      https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897

          [JENKINS-67600] Support checkout with Github App credentials

          Dan Alvizu created issue -
          Mark Waite made changes -
          Assignee Original: Mark Waite [ markewaite ]
          Dan Alvizu made changes -
          Description Original: The gitlab branch source plugin introduced support for[ "github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:

          https://www.jenkins.io/blog/2020/04/16/github-app-authentication/

          It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys:

          * They are not rate limited
          * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several

          It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so:

          {code}
              withCredentials([usernamePassword(credentialsId: 'github-app-credentials',
                                          usernameVariable: 'GITHUB_APP',
                                          passwordVariable: 'GITHUB_ACCESS_TOKEN')]) {
                  checkout ([
                      $class: 'GitSCM',
                      userRemoteConfigs: [[
                          credentialsId: '',
                      url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git"
                      ]],
          {code}

          However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this.

          It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior.

          This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation.

          It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there:

          https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897
          New: The gitlab branch source plugin introduced support for ["github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:

          https://www.jenkins.io/blog/2020/04/16/github-app-authentication/

          It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys:

          * They are not rate limited
          * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several

          It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so:

          {code}
              withCredentials([usernamePassword(credentialsId: 'github-app-credentials',
                                          usernameVariable: 'GITHUB_APP',
                                          passwordVariable: 'GITHUB_ACCESS_TOKEN')]) {
                  checkout ([
                      $class: 'GitSCM',
                      userRemoteConfigs: [[
                          credentialsId: '',
                      url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git"
                      ]],
          {code}

          However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this.

          It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior.

          This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation.

          It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there:

          https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897
          Dan Alvizu made changes -
          Description Original: The gitlab branch source plugin introduced support for ["github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:

          https://www.jenkins.io/blog/2020/04/16/github-app-authentication/

          It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys:

          * They are not rate limited
          * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several

          It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so:

          {code}
              withCredentials([usernamePassword(credentialsId: 'github-app-credentials',
                                          usernameVariable: 'GITHUB_APP',
                                          passwordVariable: 'GITHUB_ACCESS_TOKEN')]) {
                  checkout ([
                      $class: 'GitSCM',
                      userRemoteConfigs: [[
                          credentialsId: '',
                      url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git"
                      ]],
          {code}

          However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this.

          It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior.

          This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation.

          It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there:

          https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897
          New: The gitlab branch source plugin introduced support for ["github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:

          https://www.jenkins.io/blog/2020/04/16/github-app-authentication/

          It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys:

          * They are not rate limited the same way other keys are
          * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several projects

          It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so:

          {code}
              withCredentials([usernamePassword(credentialsId: 'github-app-credentials',
                                          usernameVariable: 'GITHUB_APP',
                                          passwordVariable: 'GITHUB_ACCESS_TOKEN')]) {
                  checkout ([
                      $class: 'GitSCM',
                      userRemoteConfigs: [[
                          credentialsId: '',
                      url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git"
                      ]],
          {code}

          However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this.

          It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior.

          This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation.

          It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there:

          https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897
          Dan Alvizu made changes -
          Description Original: The gitlab branch source plugin introduced support for ["github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:

          https://www.jenkins.io/blog/2020/04/16/github-app-authentication/

          It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys:

          * They are not rate limited the same way other keys are
          * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several projects

          It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so:

          {code}
              withCredentials([usernamePassword(credentialsId: 'github-app-credentials',
                                          usernameVariable: 'GITHUB_APP',
                                          passwordVariable: 'GITHUB_ACCESS_TOKEN')]) {
                  checkout ([
                      $class: 'GitSCM',
                      userRemoteConfigs: [[
                          credentialsId: '',
                      url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git"
                      ]],
          {code}

          However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this.

          It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior.

          This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation.

          It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there:

          https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897
          New: The github branch source plugin introduced support for ["github app" authentication|https://github.com/jenkinsci/github-branch-source-plugin/blob/master/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java] in 2020:

          https://www.jenkins.io/blog/2020/04/16/github-app-authentication/

          It is possible to use these access keys as git credentials, [as outlined in github's documentation|https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation]. This has a number of advantages over deploy keys:

          * They are not rate limited the same way other keys are
          * Github deploy keys [can only be assigned to one project|https://stackoverflow.com/questions/13225826/using-the-same-deploy-key-for-multiple-github-projects] where github apps can be applied to several projects

          It is possible to use the credentials by wrapping them in a {{withCredentials}} block like so:

          {code}
              withCredentials([usernamePassword(credentialsId: 'github-app-credentials',
                                          usernameVariable: 'GITHUB_APP',
                                          passwordVariable: 'GITHUB_ACCESS_TOKEN')]) {
                  checkout ([
                      $class: 'GitSCM',
                      userRemoteConfigs: [[
                          credentialsId: '',
                      url: "https://x-access-token:$GITHUB_ACCESS_TOKEN@github.com/<ORG>/<PROJECT>.git"
                      ]],
          {code}

          However, this carries a big limitation that they (the credentials) cannot be used with submodules. It is also a security issue to pass a GITHUB_ACCESS_TOKEN around like this.

          It'd be great if the git plugin supports this GitHubAppCredentials natively, and then as a user just reference the credentialId, and have the git plugin handle obtaining the access token and reusing the 'inherit your credentials from your parent' behavior.

          This would overcome limitations currently - not being able to reuse credentials to submodules and the security implications of passing around secrets via groovy interpolation.

          It is currently possible to work-around this with disabling submodule behavior and running some git commands, although the security issue is still there:

          https://stackoverflow.com/questions/47275354/jenkins-git-submodule-credentials-different-from-parent-repo/70716897#70716897

            Unassigned Unassigned
            dalvizu Dan Alvizu
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: