Extend the GitUsernamePasswordBinding by exporting the credentials suitable for git credential store

[petr-tichy]

Extend the GitUsernamePasswordBinding by exporting the credentials suitable for git credential store

Checklist

• [x] I have read the CONTRIBUTING doc
• [x] I have added tests that verify my changes
• [x] Unit tests pass locally with my changes
• [x] I have added documentation as necessary
• [x] No Javadoc warnings were introduced with my changes
• [x] No spotbugs warnings were introduced with my changes
• [x] Documentation in README has been updated as necessary
• [x] I have interactively tested my changes

Types of changes

• [x] New feature (non-breaking change which adds functionality)

Further comments

This extend the GitUsernamePasswordBinding by exporting the credentials in a file format suitable for git credential store which is in turn useful for docker.build step using BuildKit secret mount. This is currently the best option for forwarding HTTP credentials to docker.build while avoiding storing these in the image.

# Jenkins pipeline
withCredentials([gitUsernamePassword(credentialsId: 'my-credentials-id',
                 hostName: 'github.com')]) {
  withEnv(['DOCKER_BUILDKIT=1']) {
    docker.build '', "--secret id=git_store,src=${GIT_CREDENTIAL_STORE} ."
  }
}

# Dockerfile
RUN --mount=type=secret,id=git_store \
    git config credential.helper 'store --file /run/secrets/git_store' && \
    git clone https://github.com/private/repo

The above configuration is best used with GitHub App authentication provided by GitHub Branch Source plugin. This issues scoped temporary token valid for one hour, which is then used in HTTPS Basic Auth.

[jtway]

Is there any update on this getting merged?

[MarkEWaite]

Is there any update on this getting merged?

It will likely be several months before I'm able to review, test, and merge this pull request.