Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-75416

Handle checkout with GitHub app auth for multiple orgs/installations

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • git-plugin
    • None

      Might be related to JENKINS-67600, but feels different enough to call it out in a separate ticket.

      Currently when you try to checkout a repository from github with a GitHub App credential, it seems to work fine for simple modules and an app installed in a single org or, if you have the app installed in multiple orgs, the credential has the owner set on it. For those instances where the GH installation is inferred from the owner on the repository, this does not work with the git plugin since it does not set the owner properly.

      The github-branch-source plugin added this support by updating their lookupScanCredentials method to add a repoOwner property which then gets set on the GitHub app credential before returning it. This makes everything work properly for a GH app credential with no owner set but the GH app installed on multiple orgs in GH itself.

      The git plugin should add similar support here, but this is complicated by the fact that the GitHub app credential is not pulled in by the plugin (and correctly so). I'm not sure of the best option here, since really what is needed is something like method:

          private static StandardUsernameCredentials lookupScanCredentials(@NonNull Run<?, ?> build,
                                                              @CheckForNull String url,
                                                              @CheckForNull String ucCredentialsId, 
                                                              @CheckForNull String repoOwner) {
        if (Util.fixEmpty(ucCredentialsId) == null) {
            return null;
        } else {
            StandardUsernameCredentials c = CredentialsProvider.findCredentialById(
                    ucCredentialsId,
                    StandardUsernameCredentials.class,
                    build,
                    URIRequirementBuilder.fromUri(url).build());
            if (c instanceof GitHubAppCredentials && repoOwner != null) {
                c = ((GitHubAppCredentials) c).withOwner(repoOwner);
            }
            return c != null && GitClient.CREDENTIALS_MATCHER.matches(c) ? c : null;
        }
    }

      However, the repoOwner can be assumed in github but not in general git repos AFAIK. Also, we have the problem mentioned above where GitHubAppCredential is not included in the build since it does not depend on the plugin. I'm hoping to find some solution in here that will allow it to work more generally and also allow it to work with GH app auth inferring the owner properly.

            Unassigned Unassigned
            bksaville Brian Saville
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: