Quantcast

Github Organization and credentials

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Github Organization and credentials

Justin Knowles
Hello. I'm having an issue creating a Github Organization (GO from now on) and also not quite understanding how credentials (the plugin) fit into all this. I think I understand that credentials via the plugin can be siloed into different groups or folders for access control purposes. I have a few credentials in jenkins/global (ie at the URL /credentials), and another scoped to "Jenkins", of which some of the global ones should have sufficient permissions for the GO plugin, but after creating my new GO they're not listed (the list only shows "-none-") and I'm shown a "Credentials are recommended" message. 

Saving my newly created GO kicks off the folder computation process which does nothing because its trying to use anonymous access, and revisiting its settings page still doesn't show any credentials global or otherwise. Ok, understandable. 

From my GO/settings page I have the option of adding credentials with two options: folder credentials provider (by the name of my new GO) and Jenkins credentials provider (by the name of Jenkins). From here I chose to add credentials using the GO provider by generating a new personal access token in github with these permissions: 

 repo  Full control of private repositories
  repo:status  Access commit status
  repo_deployment  Access deployment status
  public_repo

 admin:repo_hook  Full control of repository hooks
  write:repo_hook  Write repository hooks
  read:repo_hook  Read repository hooks

 admin:org_hook  Full control of organization hooks

Those may be too wide, but whatever, I think they're enough? I select those creds, apply the changes, and start folder computation, and now it sees everything. Awesome. As a test I have just one branch in one repo with a Jenkinsfile and this is it:

node {
  // git url: 'https://github.com/COMPANY/COMPANY-java-core.git'

  stage('Test (verify)') {
        withMaven(
          maven: 'maven3',
          mavenLocalRepo: '.repository') {
            sh "mvn clean install"
        }
  }
}

With and without that git url has returned different errors, I can go back and find out what they were if it matters. Regardless, with it how it is now if I go to a detected branch and look at the log for what it tried to do using the Jenkins file, I see this: https://gist.githubusercontent.com/jayceekay/20a9797de5fa76a8b444cefc2cf65674/raw/21b507979df4acff83a5609204505d3e6e4bece2/log

Namely, to clone the repo it does:
Connecting to https://api.github.com using ME/****** (COMPANY github organization token)
Cloning the remote Git repository
Cloning repository https://github.com/COMPANY/COMPANY-java-core.git

But then later I see:
Fetching upstream changes from https://github.com/COMPANY/COMPANY-java-core.git
using GIT_ASKPASS to set credentials COMPANY github organization token
 > git fetch --tags --progress https://github.com/COMPANY/COMPANY-java-core.git +refs/heads/*:refs/remotes/origin/*
 > git config remote.origin1.url https://github.com/COMPANY/COMPANY-java-core.git # timeout=10
Fetching upstream changes from https://github.com/COMPANY/COMPANY-java-core.git
using GIT_ASKPASS to set credentials COMPANY github organization token
 > git fetch --tags --progress https://github.com/COMPANY/COMPANY-java-core.git +refs/pull/*/head:refs/remotes/origin/pr/*
Checking out Revision some_commit_hash (ME/jenkinsfile-test)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f some_commit_hash

1. it seems like its doing the same thing more than once
2. rather than default to the credentials I gave it it's defaulting to asking for a password

I've read online that from here I can go into individual repositories that were found and tweak the Github plugin settings (under advanced) and change the checkout credentials to be different from the scan credentials, which I can see and change, but cannot actually save

All suggestions welcome!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/668c27ca-517e-4823-9d83-05a37906cb35%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Github Organization and credentials

Justin Knowles
Well after messing with this for days I magically got it working once I posted this. The fix for me was a combination of my github org config and my Jenkinsfile. In the github org I went to my org -> configure -> repository sources (github organization) -> advanced and changed "checkout credentials" from "-same as scan credentials-" to explicitly be the same credentials I used for the scan credentials.

My Jenkinsfile was changed to:

node {
  checkout scm

    stage('Test (verify)') {
      withMaven(
          maven: 'maven3',
          mavenLocalRepo: '.repository') {
        sh "mvn clean install"
      }
    }
}


On Wednesday, January 11, 2017 at 3:12:23 PM UTC-5, Justin Knowles wrote:
Hello. I'm having an issue creating a Github Organization (GO from now on) and also not quite understanding how credentials (the plugin) fit into all this. I think I understand that credentials via the plugin can be siloed into different groups or folders for access control purposes. I have a few credentials in jenkins/global (ie at the URL /credentials), and another scoped to "Jenkins", of which some of the global ones should have sufficient permissions for the GO plugin, but after creating my new GO they're not listed (the list only shows "-none-") and I'm shown a "Credentials are recommended" message. 

Saving my newly created GO kicks off the folder computation process which does nothing because its trying to use anonymous access, and revisiting its settings page still doesn't show any credentials global or otherwise. Ok, understandable. 

From my GO/settings page I have the option of adding credentials with two options: folder credentials provider (by the name of my new GO) and Jenkins credentials provider (by the name of Jenkins). From here I chose to add credentials using the GO provider by generating a new personal access token in github with these permissions: 

 repo  Full control of private repositories
  repo:status  Access commit status
  repo_deployment  Access deployment status
  public_repo

 admin:repo_hook  Full control of repository hooks
  write:repo_hook  Write repository hooks
  read:repo_hook  Read repository hooks

 admin:org_hook  Full control of organization hooks

Those may be too wide, but whatever, I think they're enough? I select those creds, apply the changes, and start folder computation, and now it sees everything. Awesome. As a test I have just one branch in one repo with a Jenkinsfile and this is it:

node {
  // git url: '<a href="https://github.com/COMPANY/COMPANY-java-core.git" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;">https://github.com/COMPANY/COMPANY-java-core.git'

  stage('Test (verify)') {
        withMaven(
          maven: 'maven3',
          mavenLocalRepo: '.repository') {
            sh "mvn clean install"
        }
  }
}

With and without that git url has returned different errors, I can go back and find out what they were if it matters. Regardless, with it how it is now if I go to a detected branch and look at the log for what it tried to do using the Jenkins file, I see this: <a href="https://gist.githubusercontent.com/jayceekay/20a9797de5fa76a8b444cefc2cf65674/raw/21b507979df4acff83a5609204505d3e6e4bece2/log" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgist.githubusercontent.com%2Fjayceekay%2F20a9797de5fa76a8b444cefc2cf65674%2Fraw%2F21b507979df4acff83a5609204505d3e6e4bece2%2Flog\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG3x5ySV11dVBt5BVWX_c22pVNrAw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgist.githubusercontent.com%2Fjayceekay%2F20a9797de5fa76a8b444cefc2cf65674%2Fraw%2F21b507979df4acff83a5609204505d3e6e4bece2%2Flog\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG3x5ySV11dVBt5BVWX_c22pVNrAw&#39;;return true;">https://gist.githubusercontent.com/jayceekay/20a9797de5fa76a8b444cefc2cf65674/raw/21b507979df4acff83a5609204505d3e6e4bece2/log

Namely, to clone the repo it does:
Connecting to <a href="https://api.github.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fapi.github.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFaxiN7JVsICSzUBUNhK22bgSq8yA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fapi.github.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFaxiN7JVsICSzUBUNhK22bgSq8yA&#39;;return true;">https://api.github.com using ME/****** (COMPANY github organization token)
Cloning the remote Git repository
Cloning repository <a href="https://github.com/COMPANY/COMPANY-java-core.git" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;">https://github.com/COMPANY/COMPANY-java-core.git

But then later I see:
Fetching upstream changes from <a href="https://github.com/COMPANY/COMPANY-java-core.git" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;">https://github.com/COMPANY/COMPANY-java-core.git
using GIT_ASKPASS to set credentials COMPANY github organization token
 > git fetch --tags --progress <a href="https://github.com/COMPANY/COMPANY-java-core.git" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;">https://github.com/COMPANY/COMPANY-java-core.git +refs/heads/*:refs/remotes/origin/*
 > git config remote.origin1.url <a href="https://github.com/COMPANY/COMPANY-java-core.git" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;">https://github.com/COMPANY/COMPANY-java-core.git # timeout=10
Fetching upstream changes from <a href="https://github.com/COMPANY/COMPANY-java-core.git" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;">https://github.com/COMPANY/COMPANY-java-core.git
using GIT_ASKPASS to set credentials COMPANY github organization token
 > git fetch --tags --progress <a href="https://github.com/COMPANY/COMPANY-java-core.git" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FCOMPANY%2FCOMPANY-java-core.git\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEzF5U3i1yNQ1wywHndOp_naiy0CQ&#39;;return true;">https://github.com/COMPANY/COMPANY-java-core.git +refs/pull/*/head:refs/remotes/origin/pr/*
Checking out Revision some_commit_hash (ME/jenkinsfile-test)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f some_commit_hash

1. it seems like its doing the same thing more than once
2. rather than default to the credentials I gave it it's defaulting to asking for a password

I've read online that from here I can go into individual repositories that were found and tweak the Github plugin settings (under advanced) and change the checkout credentials to be different from the scan credentials, which I can see and change, but cannot actually save

All suggestions welcome!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/eb76cc4f-82d1-4b35-a63d-02c7d55aa291%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...