How to use github oAuth token with Git plug-in Jenkins

7
votes

I have been using Git Plugin in Jenkins to pull the source code from the GitHub repository. I have been using UserName and Password for authentication

enter image description here

However, GitHub has announced

Deprecation Notice: GitHub will discontinue password authentication to the API. You must now authenticate to the GitHub API with an API token, such as an OAuth access token, GitHub App installation access token, or personal access token, depending on what you need to do with the token

So i need to change the authentication to use oAuth token.

1> I have created a oAuth token in GitHub
2> Then in Jenkins i created Secret Text as Global Credentials. (using the GitHub's oAuth token)
3> However, when i goto job configuration, the Git Plug-In does not show any credentials in the DropDownList whose type is secret text ( it shows all other credentials though)

How do i configure Git Pug-in to use oAuth token?

4
jenkinsgithubjenkins-pluginsjenkins-github-plugin

4 Answers

1
votes

Check first if you have the github-oauth Jenkins plugin installed, as described in "Use the Jenkins OAuth plug-in to securely pull from GitHub", from Walker Rowe.

That would allow to register your Jenkins server as an application which can then access GitHub resources:

https://cdn.ttgtmedia.com/rms/editorial/TSS_jenkins_oauth_041018_fig5_desktop.png

0
votes

Stick with the "Username with Password" credential type, created with a token (usually a Personal Access Token) in place of the password.

The GitHub docs you linked to mention this type of use case specifically:

curl -u username:token https://api.github.com/user

This approach is useful if your tools only support Basic Authentication but you want to take advantage of OAuth access token security features.

The Git Plugin doesn't accept a SecretText credential because it wouldn't know what to do with it. While it isn't limited to Basic Auth only (it supports SSH, after all), it doesn't know what to do with just an OAuth token.

Fortunately, GitHub has provided a work around for this exact type of use case, by allowing you to pass a token (virtually) anywhere you would otherwise use a password.

Using this method allows you to take advantage of the security features of tokens, such as per-token scopes, without having to retro-fit your existing tooling.

0
votes

Another approach is to take advantage of the GitHub App authentication support

It is released in April 2020 with GitHub Branch Source 2.7.0-beta1 which is available in the Jenkins experimental update center.

Why authenticate as a GitHub app?

  • Larger rate limits - The rate limit for a GitHub app scales with your organization size, whereas a user based token has a limit of 5000 regardless of how many repositories you have.
  • User-independent authentication - Each GitHub app has its own user-independent authentication.
    No more need for 'bot' users or figuring out who should be the owner of 2FA or OAuth tokens.
  • Improved security and tighter permissions - GitHub Apps offer much finer-grained permissions compared to a service user and its personal access tokens.
    This lets the Jenkins GitHub app require a much smaller set of privileges to run properly.
  • Access to GitHub Checks API - GitHub Apps can access the the GitHub Checks API to create check runs and check suites from Jenkins jobs and provide detailed feedback on commits as well as code annotation

https://jenkins.io/images/github-app-rate-limit.png

And:

In addition to usage of GitHub App authentication for Multi-Branch Pipeline, you can also use app authentication directly in your Pipelines.

You can access the Bearer token for the GitHub API by just loading a 'Username/Password' credential as usual, the plugin will handle authenticating with GitHub in the background.

0
votes

This answer describes the entire process of setting up OAuth with Github in Jenkins: https://stackoverflow.com/a/61995795/9962007