Add support for GitHub app authentication

[timja]

• JENKINS issue(s):
  • JENKINS-57351
• Description:
  • Adds support for authenticating as a GitHub app (see the jira for more information)
• Documentation changes:
  • I've added a guide to this repo internally, can easily be ported elsewhere if needed
• Users/aliases to notify:
  • @bitwiseman

[ojacques]

Great! If we wanted to try - would generating a locally built github-api-plugin version 1.102 work?

[timja]

You’ll need to compile locally:
GitHub-api
GitHub-api-plugin
This PR

It’s based off 1.101 but version shouldn’t matter too much as long as it’s recent

[bitwiseman]

@ojacques @timja You can now switch to just a local build of this PR. The other two items have been merged.

[bitwiseman]

Looking good. A few questions. Probably a few more once you've added that test coverage you want to.

[timja]

@bitwiseman I might need some guidance on the tests you would like to see here, I commented out the existing code around auth and all the tests passed so i don’t think there’s any existing coverage

[timja]

we could add a dependency to bouncy castle then we could handle this? or ask users to convert it?

[bitwiseman]

Let's start with asking user to do this. Smoothing can be a later release.

[dwnusbaum]

There is a Bouncy Castle API Plugin that was split from Jenkins core in the past and has a wide install base that you can depend on for this kind of thing, but I agree that it seems best to save that for later.

[timja]

Great! If we wanted to try - would generating a locally built github-api-plugin version 1.102 work?

@ojacques did you get a chance to try this? I've just pushed documentation for it
https://github.com/timja/github-branch-source-plugin/blob/github-app-support/docs/github-app.adoc

[ojacques]

@ojacques did you get a chance to try this? I've just pushed documentation for it
https://github.com/timja/github-branch-source-plugin/blob/github-app-support/docs/github-app.adoc

@timja, thanks for everything, and for the doc (I will suggest some modifications about it later).
Unfortunately, I was not able to get this going. Note that this is with a GitHub enterprise instance, but that should not matter.

I'm getting this:

It looks like this is failing in Connector.java, at GHApp app = gitHubApp.getApp();.

145 is my github app ID (which is not the installation id).
I "installed" the app in the github organization I want to get access to, but that did not make a difference.

My test environment is: github enterprise, the github-branch-source-plugin compiled fresh from this PR and Jenkins 2.219 running in a container.

Any idea?

[timja]

Do you know what version of GHE you are on?

I've pushed more logging, which might help debug it

[ojacques]

Do you know what version of GHE you are on?

2.19.6

[timja]

Could you try re-build a fresh version, (or wait for CI which will give you one too if you just want to download it)

I've added additional logging to help debug it

[ojacques]

It looks like it tries to talk to api.github.com, not the github enterprise URL that is configured:

Exception validating credentials 145
java.io.FileNotFoundException: https://api.github.com/app
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1896)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:352)
	at org.kohsuke.github.Requester._fetchOrRetry(Requester.java:523)
Caused: java.io.FileNotFoundException: https://api.github.com/app

The end point should be https://github.xyz.com/api/v3, which is the one that is selected as the API end point, just above "credentials" drop down.

[timja]

Should be fixed now, please re test

[ojacques]

Thanks @timja, update from my testing:

• ✔ I can scan a github org (GitHub enterprise) with Jenkins as a GitHub app! 🎉 🎆
• For the organization scan to fully work, I had to give the GitHub app more "repository" type permissions:
  • Contents: read-only (to read the Jenkinsfile, and I was expecting also to be able to get the code from the repo)
  • Metadata: Read-only (was set automatically)
  • Pull requests: read-only (without this one, the scan was not fully completing as it looks through PRs / branches to create all the jobs)
  • Commit status: read-write (this one is as per your doc)
• ❌ Yet, the actual jobs are failing: they can't seem to get repo content from GitHub:
  

For that git phase, the credential used seems to be an ssh key (using GIT_SSH to set credentials) - probably the one set for the GitHub app. Shouldn't this be a token instead (which is what we get from a GitHub app)?

Great progress in any case!

[timja]

@ojacques I've pushed a temporary fix, not sure how this was working for me locally, but it's not anymore.

[ojacques]

Fetching repo / running jobs still does not work:

I could be available on slack or gitter if needed.

After some discussions and more tests:

• This PR does work "as is" with github.com and public repos
• It needs more work to support private repos on github.com or GitHub enterprise in "private mode"

[timja]

We've had a chat on gitter, the GHE issue can be re-produced on Github.com by trying to checkout a private repo, for some reason the creds aren't being used on checkout

[oleg-nenashev]

I am fine. We can always generalize it later if needed

[oleg-nenashev]

FYI @sladyn98 @uhafner, the functionality created here could be reused in the GitHub Checks API integration project. https://jenkins.io/projects/gsoc/2020/project-ideas/github-checks/

[sladyn98]

@oleg-nenashev Yes this is definitely reusable, I used a part of this code in my POC for the Github Checks API Plugin.https://github.com/sladyn98/JenkinsChecksPOC

[ojacques]

FYI @sladyn98 @uhafner, the functionality created here could be reused in the GitHub Checks API integration project. https://jenkins.io/projects/gsoc/2020/project-ideas/github-checks/

Yes. Here is a PoC which posts a checks run using a valid authentication token issued from Jenkins as GitHub App, all with Jenkinsfile:

pipeline {
  agent any

  stages{
    stage('Check run PoC') { 
      steps {
        withCredentials([usernamePassword(credentialsId: 'githubapp-jenkins', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_JWT_TOKEN')]) {
        sh '''
        curl -H "Content-Type: application/json" -H "Accept: application/vnd.github.antiope-preview+json" -H "authorization: Bearer ${GITHUB_JWT_TOKEN}" -d '{ "name": "check_run", "head_sha": "'${GIT_COMMIT}'", "status": "in_progress", "external_id": "42", "started_at": "2020-03-05T11:14:52Z", "output": { "title": "Check run from Jenkins!", "summary": "This is a check run which has been generated from Jenkins as GitHub App", "text": "...and that iss awesome"}}' https://github.xyz.com/api/v3/repos/ojacques/jenkins-with-githubapp/check-runs
        '''
        }
      }
    }
  }
}

[timja]

FYI @sladyn98 @uhafner, the functionality created here could be reused in the GitHub Checks API integration project. jenkins.io/projects/gsoc/2020/project-ideas/github-checks

Yes. Here is a PoC which posts a checks run using a valid authentication token issued from Jenkins as GitHub App, all with Jenkinsfile:

pipeline {
  agent any

  stages{
    stage('Check run PoC') { 
      steps {
        withCredentials([usernamePassword(credentialsId: 'githubapp-jenkins', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_JWT_TOKEN')]) {
        sh '''
        curl -H "Content-Type: application/json" -H "Accept: application/vnd.github.antiope-preview+json" -H "authorization: Bearer ${GITHUB_JWT_TOKEN}" -d '{ "name": "check_run", "head_sha": "cd2cf268e59fdf2e11fb677a4ca1a53f58826e0c", "status": "in_progress", "external_id": "42", "started_at": "2020-03-05T11:14:52Z", "output": { "title": "Check run from Jenkins!", "summary": "This is a check run which has been generated from Jenkins as GitHub App", "text": "...and that iss awesome"}}' https://github.xyz.com/api/v3/repos/ojacques/jenkins-with-githubapp/check-runs
        '''
        }
      }
    }
  }
}

Nice!

It'll be great once it's fully integrated,

tests showing up there
warnings on PR
lint results
ability to re-run

etc

[uhafner]

Yes, that looks very promising!

[sladyn98]

@ojacques Has this (reporting to Checks API) already been implemented as a Pipeline step
cc @timja

[droidpl]

When do you plan to create a release with this?

[ojacques]

@ojacques Has this (reporting to Checks API) already been implemented as a Pipeline step

We did not yet, but were looking to start.

[sladyn98]

@ojacques okay cool, i would love to contribute, since it is a part of my proposal for the github Checks API

[oleg-nenashev]

@timja I will try to facilitate the release. Just in case, would you be interested to write a blogpost about this feature or to present it at one of the next Jenkins Online Meetups?

[timja]

@timja I will try to facilitate the release. Just in case, would you be interested to write a blogpost about this feature or to present it at one of the next Jenkins Online Meetups?

yes, either / both.

[timja]

@timja I will try to facilitate the release. Just in case, would you be interested to write a blogpost about this feature or to present it at one of the next Jenkins Online Meetups?

Draft blog post:
jenkins-infra/jenkins.io#2988

[kad-kooija]

When will this be released?

[steve-norman-rft]

https://jenkins.io/blog/2020/04/16/github-app-authentication/

[bitwiseman]

General release in the next week.