github-branch-source-plugin icon indicating copy to clipboard operation
github-branch-source-plugin copied to clipboard
verified publisher icon jenkinsci

Add new options to GitHub App credentials to allow dynamic restrictions of the repositories and permissions available to installation access tokens in some contexts

Open dwnusbaum opened this issue 1 year ago • 1 comments

Description

See JENKINS-75058. See also https://github.com/jenkins-infra/jenkins.io/pull/7770 for greater context around this change. For now this is a draft PR. I will go through the PR and add review comments to help clarify things.

This PR adds new configuration options to GitHub App credentials that make use of the repositories and permissions parameters when using the /app/installations/{installation_id}/access_tokens GitHub API endpoint to create installation access tokens.

There are two new high-level options:

  • The "Repository access strategy" uses the repositories parameter to control which repositories are available to the installation access tokens. There are three strategies, please see the changes to docs/github-app.adoc and the corresponding help-*.html for details.
  • The "Default permissions strategy" uses the permissions parameter to control which permissions are available to the installation access tokens, but only when the tokens are generated and used in an untrusted context. There are three strategies, please see the changes to docs/github-app.adoc for details.

If you have any recommendations for renaming of these options or any of their sub-options, please feel free to suggest them.

I will go through and add comments to the PR to various points of interest. Please feel free to ask about anything that is not clear.

Backwards compatibility:

  • The new configuration options are not fully backwards compatible. When migrating existing credentials which do not have the owner field set, we can 1) either preserve compatibility for users who have the app installed in multiple orgs and only use the credentials in contexts where owner inference is supported by using AccessInferredOwner as the migration, or 2) we can preserve compatibility for users who have the app installed in a single org and use it in contexts where inference is not supported by using AccessSpecifiedRepositories with a null owner. None of the new strategies currnetly support these two use cases simultaneously.

Notes for downstream plugins:

  • Any downstream plugin that wants to use GitHub App credentials to access the GitHub API now must use Connector.lookupScanCredentials so that the retrieved credentials recognize that they are in a trusted context so that the generated token is not restricted. See for example https://github.com/jenkinsci/github-checks-plugin/pull/398.
  • The GitHubAppCredentials.getOwner and setOwner methods should no longer be used. The following plugins along with a CloudBees-internal one will need (minor) updates to match this PR. I will file PRs for this soon:
    • https://github.com/jenkinsci/kubernetes-credentials-provider-plugin/pull/107
    • https://github.com/jenkinsci/github-app-kubernetes-credentials-plugin/blob/95f09eaeb1eaf98443b3ed2fc5105f187a424063/src/main/java/org/jenkinsci/plugins/github_app_kubernetes_credentials/GithubAppCredentialsConvertor.java#L64 is technically incompatible, but I think this plugin is obsolete after https://github.com/jenkinsci/kubernetes-credentials-provider-plugin/pull/50, and so I have not tried to update it.)
    • CloudBees-internal ticket for the proprietary plugin that needed updates

Submitter checklist

  • [x] Link to JIRA ticket in description, if appropriate.
  • [x] Change is code complete and matches issue description
  • [x] Automated tests have been added to exercise the changes
  • [ ] Reviewer's manual test instructions provided in PR description. See Reviewer's first task below.

Reviewer checklist

  • [ ] Run the changes and verify that the change matches the issue description
  • [ ] Reviewed the code
  • [ ] Verified that the appropriate tests have been written or valid explanation given

Documentation changes

  • [x] Link to jenkins.io PR, or an explanation for why no doc changes are needed

Users/aliases to notify

dwnusbaum avatar Dec 20 '24 20:12 dwnusbaum

Hmm, some of the changes in 755fec8fdd37a72d7e4dc1e9a7ca30b801093c62 might make the migration admin monitor trigger even for brand new app credentials. If so, we might need to swap back to setting the default values of the new fields in the constructor.

dwnusbaum avatar Jan 30 '25 09:01 dwnusbaum

I performed manual tests with:

  • 2 GitHub Apps (A1 and A2)
  • 2 GitHub organizations (O1 and O2)
  • A1 installed on O1 (restricted list of repositories)
  • A2 installed on O1 (restricted list of repositories)
  • A2 installed on O2 (all repositories)

On Jenkins, I tested the 3 RepositoryAccessStrategy implementations with Multibranch Pipelines and Organization Folder for both A1 and A2: everything works as described, the restriction is applied to the list of repositories in each case.

AccessSpecifiedRepositories with empty list of repositories restricts the access to owner's repositories.

AccessInferredRepository raise error as expected when used from non-multibranch Pipeline.

jeromepochat avatar Aug 13 '25 15:08 jeromepochat

Holding the merge of this until https://github.com/jenkinsci/kubernetes-credentials-provider-plugin/pull/107 and https://github.com/jenkins-infra/jenkins.io/blob/7a7552272c829342368859c104d0efe9922b78c9/content/doc/book/security/securing-org-folders-and-multibranch-pipelines.adoc?plain=1#L78-L84 are ready as well as some upgrade tests.

rsandell avatar Aug 25 '25 14:08 rsandell

Holding the merge of this until jenkinsci/kubernetes-credentials-provider-plugin#107 and https://github.com/jenkins-infra/jenkins.io/blob/7a7552272c829342368859c104d0efe9922b78c9/content/doc/book/security/securing-org-folders-and-multibranch-pipelines.adoc?plain=1#L78-L84 are ready as well as some upgrade tests.

Hi @rsandell! As discussed, the merge path is:

  1. This PR providing the new options for GitHub App credentials
  2. Downstream PR that needs the new options provided by this one
    • https://github.com/jenkinsci/kubernetes-credentials-provider-plugin/pull/107

jeromepochat avatar Aug 27 '25 19:08 jeromepochat

Looks like these changes are causing issues with doing a BOM release this week. For reference:

https://github.com/jenkinsci/bom/issues/5607

tl;dr...two plugins that passed on the Tuesday weekly build are now failing on Friday.

kubernetes-credentials-provider (I notice that's noted above):

[ERROR] com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.convertors.GitHubAppCredentialsConvertorTest.canConvertAValidSecretWithApiUri -- Time elapsed: 0.174 s <<< ERROR!
java.lang.IllegalStateException: Expected 1 instance of org.jenkinsci.plugins.github_branch_source.app_credentials.MigrationAdminMonitor but got 0
        at hudson.ExtensionList.lookupSingleton(ExtensionList.java:478)
        at org.jenkinsci.plugins.github_branch_source.app_credentials.MigrationAdminMonitor.addMigratedCredentialId(MigrationAdminMonitor.java:32)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.setOwner(GitHubAppCredentials.java:175)
        at com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.convertors.GitHubAppCredentialsConvertor.convert(GitHubAppCredentialsConvertor.java:67)
        at com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.convertors.GitHubAppCredentialsConvertorTest.canConvertAValidSecretWithApiUri(GitHubAppCredentialsConvertorTest.java:101)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)

[ERROR] com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.convertors.GitHubAppCredentialsConvertorTest.canConvertAValidSecretWithOwner -- Time elapsed: 0.001 s <<< ERROR!
java.lang.IllegalStateException: Expected 1 instance of org.jenkinsci.plugins.github_branch_source.app_credentials.MigrationAdminMonitor but got 0
        at hudson.ExtensionList.lookupSingleton(ExtensionList.java:478)
        at org.jenkinsci.plugins.github_branch_source.app_credentials.MigrationAdminMonitor.addMigratedCredentialId(MigrationAdminMonitor.java:32)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.setOwner(GitHubAppCredentials.java:175)
        at com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.convertors.GitHubAppCredentialsConvertor.convert(GitHubAppCredentialsConvertor.java:67)
        at com.cloudbees.jenkins.plugins.kubernetes_credentials_provider.convertors.GitHubAppCredentialsConvertorTest.canConvertAValidSecretWithOwner(GitHubAppCredentialsConvertorTest.java:81)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)

and github-checks (also noted above, but not sure if there is any work planned for it or not):

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldLogChecksParametersIfExceptionHappensWhenPublishChecks[Freestyle (run)] -- Time elapsed: 7.146 s <<< ERROR!
java.lang.IllegalArgumentException: Found multiple installations for GitHub app ID app-id but none match credential owner "XiongKezhi". Configure the repository access strategy for the credential to use one of these owners: bogus
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:314)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:386)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:262)
        at org.kohsuke.github.GitHubClient.prepareConnectorRequest(GitHubClient.java:616)
        at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:455)
        at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:159)
        at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:390)
        at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1321)
        at org.jenkinsci.plugins.github_branch_source.ApiRateLimitChecker.verifyConnection(ApiRateLimitChecker.java:192)
        at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:738)
        at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:435)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisher.publish(GitHubChecksPublisher.java:81)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldLogChecksParametersIfExceptionHappensWhenPublishChecks(GitHubChecksPublisherITest.java:253)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.testChecksPublisherUpdatesCorrectly[Freestyle (run)] -- Time elapsed: 1.596 s <<< FAILURE!
org.opentest4j.AssertionFailedError:

expected: "XiongKezhi"
 but was: null
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.testChecksPublisherUpdatesCorrectly(GitHubChecksPublisherITest.java:345)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldPublishGitHubCheckRunCorrectly[Freestyle (run)] -- Time elapsed: 1.259 s <<< ERROR!
java.lang.IllegalArgumentException: Found multiple installations for GitHub app ID app-id but none match credential owner "XiongKezhi". Configure the repository access strategy for the credential to use one of these owners: bogus
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:314)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:386)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:262)
        at org.kohsuke.github.GitHubClient.prepareConnectorRequest(GitHubClient.java:616)
        at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:455)
        at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:159)
        at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:390)
        at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1321)
        at org.jenkinsci.plugins.github_branch_source.ApiRateLimitChecker.verifyConnection(ApiRateLimitChecker.java:192)
        at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:738)
        at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:435)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisher.publish(GitHubChecksPublisher.java:81)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldPublishGitHubCheckRunCorrectly(GitHubChecksPublisherITest.java:217)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldLogChecksParametersIfExceptionHappensWhenPublishChecks[Freestyle (job)] -- Time elapsed: 1.585 s <<< ERROR!
java.lang.IllegalArgumentException: Found multiple installations for GitHub app ID app-id but none match credential owner "XiongKezhi". Configure the repository access strategy for the credential to use one of these owners: bogus
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:314)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:386)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:262)
        at org.kohsuke.github.GitHubClient.prepareConnectorRequest(GitHubClient.java:616)
        at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:455)
        at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:159)
        at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:390)
        at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1321)
        at org.jenkinsci.plugins.github_branch_source.ApiRateLimitChecker.verifyConnection(ApiRateLimitChecker.java:192)
        at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:738)
        at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:435)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisher.publish(GitHubChecksPublisher.java:81)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldLogChecksParametersIfExceptionHappensWhenPublishChecks(GitHubChecksPublisherITest.java:253)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.testChecksPublisherUpdatesCorrectly[Freestyle (job)] -- Time elapsed: 1.282 s <<< FAILURE!
org.opentest4j.AssertionFailedError:

expected: "XiongKezhi"
 but was: null
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.testChecksPublisherUpdatesCorrectly(GitHubChecksPublisherITest.java:345)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldPublishGitHubCheckRunCorrectly[Freestyle (job)] -- Time elapsed: 2.462 s <<< ERROR!
java.lang.IllegalArgumentException: Found multiple installations for GitHub app ID app-id but none match credential owner "XiongKezhi". Configure the repository access strategy for the credential to use one of these owners: bogus
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:314)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:386)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:262)
        at org.kohsuke.github.GitHubClient.prepareConnectorRequest(GitHubClient.java:616)
        at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:455)
        at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:159)
        at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:390)
        at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1321)
        at org.jenkinsci.plugins.github_branch_source.ApiRateLimitChecker.verifyConnection(ApiRateLimitChecker.java:192)
        at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:738)
        at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:435)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisher.publish(GitHubChecksPublisher.java:81)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldPublishGitHubCheckRunCorrectly(GitHubChecksPublisherITest.java:217)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldLogChecksParametersIfExceptionHappensWhenPublishChecks[Pipeline (run)] -- Time elapsed: 1.730 s <<< ERROR!
java.lang.IllegalArgumentException: Found multiple installations for GitHub app ID app-id but none match credential owner "XiongKezhi". Configure the repository access strategy for the credential to use one of these owners: bogus
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:314)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:386)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:262)
        at org.kohsuke.github.GitHubClient.prepareConnectorRequest(GitHubClient.java:616)
        at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:455)
        at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:159)
        at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:390)
        at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1321)
        at org.jenkinsci.plugins.github_branch_source.ApiRateLimitChecker.verifyConnection(ApiRateLimitChecker.java:192)
        at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:738)
        at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:435)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisher.publish(GitHubChecksPublisher.java:81)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldLogChecksParametersIfExceptionHappensWhenPublishChecks(GitHubChecksPublisherITest.java:253)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.testChecksPublisherUpdatesCorrectly[Pipeline (run)] -- Time elapsed: 1.411 s <<< FAILURE!
org.opentest4j.AssertionFailedError:

expected: "XiongKezhi"
 but was: null
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.testChecksPublisherUpdatesCorrectly(GitHubChecksPublisherITest.java:345)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldPublishGitHubCheckRunCorrectly[Pipeline (run)] -- Time elapsed: 1.065 s <<< ERROR!
java.lang.IllegalArgumentException: Found multiple installations for GitHub app ID app-id but none match credential owner "XiongKezhi". Configure the repository access strategy for the credential to use one of these owners: bogus
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:314)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:386)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:262)
        at org.kohsuke.github.GitHubClient.prepareConnectorRequest(GitHubClient.java:616)
        at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:455)
        at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:159)
        at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:390)
        at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1321)
        at org.jenkinsci.plugins.github_branch_source.ApiRateLimitChecker.verifyConnection(ApiRateLimitChecker.java:192)
        at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:738)
        at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:435)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisher.publish(GitHubChecksPublisher.java:81)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldPublishGitHubCheckRunCorrectly(GitHubChecksPublisherITest.java:217)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldLogChecksParametersIfExceptionHappensWhenPublishChecks[Pipeline (job)] -- Time elapsed: 2.270 s <<< ERROR!
java.lang.IllegalArgumentException: Found multiple installations for GitHub app ID app-id but none match credential owner "XiongKezhi". Configure the repository access strategy for the credential to use one of these owners: bogus
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:314)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:386)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:262)
        at org.kohsuke.github.GitHubClient.prepareConnectorRequest(GitHubClient.java:616)
        at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:455)
        at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:159)
        at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:390)
        at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1321)
        at org.jenkinsci.plugins.github_branch_source.ApiRateLimitChecker.verifyConnection(ApiRateLimitChecker.java:192)
        at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:738)
        at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:435)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisher.publish(GitHubChecksPublisher.java:81)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldLogChecksParametersIfExceptionHappensWhenPublishChecks(GitHubChecksPublisherITest.java:253)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.testChecksPublisherUpdatesCorrectly[Pipeline (job)] -- Time elapsed: 1.009 s <<< FAILURE!
org.opentest4j.AssertionFailedError:

expected: "XiongKezhi"
 but was: null
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.testChecksPublisherUpdatesCorrectly(GitHubChecksPublisherITest.java:345)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

[ERROR] io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldPublishGitHubCheckRunCorrectly[Pipeline (job)] -- Time elapsed: 1.597 s <<< ERROR!
java.lang.IllegalArgumentException: Found multiple installations for GitHub app ID app-id but none match credential owner "XiongKezhi". Configure the repository access strategy for the credential to use one of these owners: bogus
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:314)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:386)
        at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$CredentialsTokenProvider.getEncodedAuthorization(GitHubAppCredentials.java:262)
        at org.kohsuke.github.GitHubClient.prepareConnectorRequest(GitHubClient.java:616)
        at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:455)
        at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:159)
        at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:390)
        at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1321)
        at org.jenkinsci.plugins.github_branch_source.ApiRateLimitChecker.verifyConnection(ApiRateLimitChecker.java:192)
        at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:738)
        at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:435)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisher.publish(GitHubChecksPublisher.java:81)
        at io.jenkins.plugins.checks.github.GitHubChecksPublisherITest.shouldPublishGitHubCheckRunCorrectly(GitHubChecksPublisherITest.java:217)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.jvnet.hudson.test.JenkinsRule$1.evaluate(JenkinsRule.java:658)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.lang.Thread.run(Thread.java:1583)

For the moment so I can get the BOM release out today, I'm going to revert the PR that put in 1844.v4a_9883d49126 and block any more changes to github-branch-source until these issues are resolved.

FWIW, the local BOM commands I'm running that are failing are:

  • LINE=weekly PLUGINS=kubernetes-credentials-provider bash local-test.sh
  • LINE=weekly PLUGINS=github-checks bash local-test.sh

As noted, when I locally go back to 1834.v857721ea_74c6, the above commands succeed.

darinpope avatar Aug 29 '25 19:08 darinpope

Thanks @darinpope. The former I think just needs a release of https://github.com/jenkinsci/kubernetes-credentials-provider-plugin/pull/107.

The latter failures I think are all related to the incompatibility mentioned in the release notes here. The tests are setting an owner XiongKezhi, but the WireMock responses for the app installation are returning a single owner named bogus here. This used to work fine as long as there was only one app installation, since that owner would be used even if it didn't match the configuration in Jenkins, but the new logic is stricter and the owner must match in this case. Either the WireMock mapping can be updated to return XiongKezhi, or the tests can be updated to use "Specify accessible repositories" with an empty owner field to use the single app installation from the WireMock mapping. @jeromepochat might be able to take a look at this next week, but if not, I will look into it.

dwnusbaum avatar Aug 29 '25 20:08 dwnusbaum

Feels like we need tests for both "Specify..." and a mapping update, since both are valid cases.

darinpope avatar Aug 29 '25 20:08 darinpope