Checks fail if run on system locked out of public internet.

[macetw]

Jenkins and plugins versions report

If I run my builds with the GitHub Checks plugin installed but on a workstation that is blocked from the public internet, the build quickly fails with the error:

[GitHub Checks] Failed Publishing GitHub checks: java.io.IOException: GitHub Enterprise server (https://api.github.com) with private mode enabled

I definitely don't want our checks published to the public github API. These are proprietary internal builds.

2 questions:

1. How can I prevent these builds from failing?
2. And how can I prevent this plugin from publishing information about our internal builds to a public (or microsoft-corporate) resource?

Environment

Jenkins: 2.401.1
OS: Linux - 5.4.0-65-generic
Java: 11.0.19 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
ace-editor:1.1
amazon-ecr:1.114.vfd22430621f5
analysis-model-api:11.3.0
ansible:217.v1696cee03265
ansible-tower:0.16.0
ansicolor:1.0.2
ant:487.vd79d090d4ea_e
antisamy-markup-formatter:159.v25b_c67cd35fb_
apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5
artifactory:3.18.3
atlassian-bitbucket-server-integration:3.4.2
authentication-tokens:1.53.v1c90fd9191a_b_
aws-bucket-credentials:1.0.0
aws-credentials:191.vcb_f183ce58b_9
aws-global-configuration:108.v47b_fd43dfec6
aws-java-sdk:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-cloudformation:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-codebuild:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ec2:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ecr:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ecs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-efs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-elasticbeanstalk:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-iam:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-kinesis:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-logs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-minimal:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-sns:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-sqs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ssm:1.12.481-392.v8b_291cfcda_09
bitbucket:223.vd12f2bca5430
bitbucket-push-and-pull-request:2.8.3
bitbucket-scm-trait-commit-skip:0.4.0
blueocean:1.27.4
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.27.4
blueocean-commons:1.27.4
blueocean-config:1.27.4
blueocean-core-js:1.27.4
blueocean-dashboard:1.27.4
blueocean-display-url:2.4.2
blueocean-events:1.27.4
blueocean-git-pipeline:1.27.4
blueocean-github-pipeline:1.27.4
blueocean-i18n:1.27.4
blueocean-jwt:1.27.4
blueocean-personalization:1.27.4
blueocean-pipeline-api-impl:1.27.4
blueocean-pipeline-editor:1.27.4
blueocean-pipeline-scm-api:1.27.4
blueocean-rest:1.27.4
blueocean-rest-impl:1.27.4
blueocean-web:1.27.4
bootstrap4-api:4.6.0-6
bootstrap5-api:5.3.0-1
bouncycastle-api:2.28
branch-api:2.1109.vdf225489a_16d
build-name-setter:2.2.0
build-pipeline-plugin:1.5.8
build-timeout:1.31
built-on-column:1.4
caffeine-api:3.1.6-115.vb_8b_b_328e59d8
checks-api:2.0.0
cloudbees-bitbucket-branch-source:805.v7f97d29dc0f5
cloudbees-folder:6.815.v0dd5a_cb_40e0e
cobertura:1.17
code-coverage-api:4.7.0
command-launcher:100.v2f6722292ee8
commons-lang3-api:3.12.0-36.vd97de6465d5b_
commons-text-api:1.10.0-36.vc008c8fcda_7b_
conditional-buildstep:1.4.2
config-file-provider:938.ve2b_8a_591c596
configuration-as-code:1647.ve39ca_b_829b_42
copyartifact:705.v5295cffec284
credentials:1254.vb_96f366e7b_a_d
credentials-binding:604.vb_64480b_c56ca_
data-tables-api:1.13.4-1
delivery-pipeline-plugin:1.4.2
display-url-api:2.3.7
docker-commons:419.v8e3cd84ef49c
docker-workflow:563.vd5d2e5c4007f
durable-task:507.v050055d0cb_dd
ec2:2.0.7
echarts-api:5.4.0-5
email-ext:2.98
embeddable-build-status:385.vc95f94e91fb_3
envinject:2.901.v0038b_6471582
envinject-api:1.199.v3ce31253ed13
external-monitor-job:203.v683c09d993b_9
favorite:2.4.2
font-awesome-api:6.4.0-1
forensics-api:2.3.0
git:5.1.0
git-client:4.4.0
git-parameter:0.9.18
git-server:99.va_0826a_b_cdfa_d
github:1.37.1
github-api:1.314-431.v78d72a_3fe4c3
github-autostatus:3.6.2
github-branch-source:1725.vd391eef681a_e
github-checks:545.v79a_a_68b_ca_682
github-pr-comment-build:96.v9ff13b69dd66
global-slack-notifier:1.5
google-compute-engine:4.3.14
google-kubernetes-engine:0.8.8
google-oauth-plugin:1.0.8
gradle:2.8
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
hashicorp-vault-pipeline:1.4
hashicorp-vault-plugin:360.v0a_1c04cf807d
htmlpublisher:1.31
hubot-steps:95.va_30176518a_5a
instance-identity:142.v04572ca_5b_265
ionicons-api:56.v1b_1c8c49374e
ivy:2.5
jackson2-api:2.15.2-350.v0c2f3f8fc595
jacoco:3.3.3
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:233.vdc1a_ec702cff
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-8
jaxb:2.3.8-1
jdk-tool:66.vd8fa_64ee91b_d
jenkins-design-language:1.27.4
jjwt-api:0.11.5-77.v646c772fddb_0
job-dsl:1.84
jobConfigHistory:1212.vd4470d08ff12
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.7.0-1
jsch:0.2.8-65.v052c39de79b_2
junit:1207.va_09d5100410f
kubernetes:3937.vd7b_82db_e347b_
kubernetes-client-api:6.4.1-215.v2ed17097a_8e9
kubernetes-credentials:0.10.0
kubernetes-pipeline-devops-steps:1.6
ldap:682.v7b_544c9d1512
lockable-resources:1156.v5e9f897ece02
mailer:457.v3f72cb_e015e5
matrix-auth:3.1.8
matrix-project:789.v57a_725b_63c79
maven-plugin:3.22
mercurial:1260.vdfb_723cdcc81
metrics:4.2.18-439.v86a_20b_a_8318b_
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
momentjs:1.1.1
multibranch-build-strategy-extension:1.0.10
node-iterator-api:49.v58a_8b_35f8363
oauth-credentials:0.645.ve666a_c332668
okhttp-api:4.11.0-145.vcb_8de402ef81
pam-auth:1.10
parameterized-trigger:2.45
pipeline-as-yaml:0.16-rc
pipeline-aws:1.43
pipeline-build-step:496.v2449a_9a_221f2
pipeline-github:2.8-147.3206e8179b1c
pipeline-github-lib:42.v0739460cda_c4
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7
pipeline-input-step:468.va_5db_051498a_4
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2141.v5402e818a_779
pipeline-model-definition:2.2141.v5402e818a_779
pipeline-model-extensions:2.2141.v5402e818a_779
pipeline-multibranch-defaults:2.1
pipeline-rest-api:2.32
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2141.v5402e818a_779
pipeline-stage-view:2.32
pipeline-timeline:1.0.3
pipeline-utility-steps:2.15.4
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.3.0
popper-api:1.16.1-3
prism-api:1.29.0-7
prometheus:2.2.3
pubsub-light:1.17
purge-job-history:1.6
rebuild:320.v5a_0933a_e7d61
resource-disposer:0.22
role-strategy:633.v836e5b_3e80a_5
run-condition:1.5
s3:0.12.3445.vda_704535b_5a_d
saml:4.418.vdfa_7489a_b_a_2d
scm-api:672.v64378a_b_20c60
scm-filter-branch-pr:61.v45f2e5f81fde
script-security:1251.vfe552ed55f8d
sidebar-link:2.2.2
slack:664.vc9a_90f8b_c24a_
snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4
splunk-devops:1.10.1
sse-gateway:1.26
ssh-agent:333.v878b_53c89511
ssh-credentials:305.v8f4381501156
ssh-slaves:2.877.v365f5eb_a_b_eec
ssh-steps:2.0.65.vd26b_5b_9b_de4d
sshd:3.303.vefc7119b_ec23
startup-trigger-plugin:2.9.3
structs:324.va_f5d6774f3a_d
timestamper:1.25
token-macro:359.vb_cde11682e0c
trilead-api:2.84.v72119de229b_7
variant:59.vf075fe829ccb
warnings-ng:10.2.0
webhook-step:173.vfa_b_93560b_977
workflow-aggregator:596.v8c21c963d92d
workflow-api:1213.v646def1087f9
workflow-basic-steps:1017.vb_45b_302f0cea_
workflow-cps:3691.v28b_14c465a_b_b_
workflow-cps-global-lib:609.vd95673f149b_b
workflow-durable-task-step:1247.v7f9dfea_b_4fd0
workflow-job:1308.v58d48a_763b_31
workflow-multibranch:756.v891d88f2cd46
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:839.v35e2736cfd5c
ws-cleanup:0.45

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu. Everywhere.

Reproduction steps

All I need is the plugin installed, but with an agent that is firewall-blocked.

Consider an iptables approach with a CIDr block to shut off internet access on that agent (while still permitting access to the jenkins controller).

Expected Results

I expect it to fail. Or frankly, I expect to be able to assign a GitHub URL of my internal server. Maybe have the server implied based on my scm configuration of the build, and no error happens.

Actual Results

[GitHub Checks] Failed Publishing GitHub checks: java.io.IOException: GitHub Enterprise server (https://api.github.com) with private mode enabled

Anything else?

There needs to be an input parameter. Publishing to the public website is a huge leak of proprietary information. Is it really doing this??

[macetw]

Suggest another improvement, that the url is shown on the success output: [GitHub Checks] GitHub check (name: Jenkins, status: in_progress) has been published.

[timja]

I expect your instance is misconfigured somewhere, you need to set the right API url. You can override it on your GitHub app credential I think

[enravi]

The error message indicates that the GitHub Checks plugin in your Jenkins environment is attempting to publish GitHub checks to the public GitHub API, but it is failing due to the restricted internet access on your Jenkins workstation.

To prevent these builds from failing and ensure that the plugin does not inadvertently publish information about your internal builds to public or corporate resources, consider the following steps:

1. Configure GitHub Enterprise Server URL: Ensure that the plugin is configured to use your internal GitHub Enterprise Server URL instead of the public GitHub API. To do this:

   • Access your Jenkins dashboard.
   • Navigate to "Manage Jenkins" in the left sidebar.
   • Click on "Configure System."
   • Scroll down to the section related to the GitHub Checks plugin.
   • In the "GitHub Enterprise API URL" field, specify the URL of your internal GitHub Enterprise Server.

   This configuration will direct the GitHub Checks plugin to communicate exclusively with your internal GitHub server.

2. Agent Firewall Configuration: If one of your Jenkins agents is blocked from accessing the public internet, consider implementing firewall rules to control its internet access. You can block outgoing connections to external domains while permitting connections to the Jenkins controller.

   Here is an example of how to configure iptables to restrict internet access on the agent:

   # Allow outgoing connections to the Jenkins controller (replace 1.2.3.4 with the controller's IP)
   iptables -A OUTPUT -d 1.2.3.4 -j ACCEPT
   # Block all other outgoing connections
   iptables -A OUTPUT -j DROP
   

By implementing these rules, you can ensure that the GitHub Checks plugin on the agent can only communicate with the Jenkins controller.

3. Plugin Configuration Check: Double-check the configuration of the GitHub Checks plugin to ensure it is correctly set up and not configured to use the public GitHub API unintentionally.

By following these steps and making sure the GitHub Checks plugin is configured correctly, you can prevent build failures and avoid leaking proprietary information to public resources.

[timja]

Thanks for trying to help enravi but I'm assuming that's AI generated and it's incorrect. There is no GitHub checks configuration section

---

I've double checked and yes the api url needs setting on the GitHub App credential (in the advanced settings for the credential)

https://github.com/jenkinsci/github-checks-plugin/blob/8d1713321e3db97eb07ff398400fb80efc5f6c24/src/main/java/io/jenkins/plugins/checks/github/GitHubChecksPublisher.java#L77-L79

[enravi]

Thank you for the clarification. It appears that the GitHub Checks plugin relies on the API URL configured within the GitHub App credential settings for its behavior.