Allow GitHub app to be installed in multiple orgs #290
Conversation
| } | ||
| GHAppInstallation appInstallation; | ||
| if (appInstallations.size() == 1) { | ||
| appInstallation = appInstallations.get(0); |
There was a problem hiding this comment.
I've made an assumption that most installations only work with one org, so I've made it an advanced field and by default if and only if there's one installation the plugin will just pick that.
There was a problem hiding this comment.
I get that, I am just saying that in case you did specify an owner, and there is exactly one installation, we are not verifying that the installation is in fact from that owner. Which feels wrong.
| @@ -87,7 +87,8 @@ Fill out the form: | |||
| - App ID: the github app ID, it can be found in the 'About' section of your GitHub app in the general tab. | |||
| - API endpoint (optional, only required for GitHub enterprise this will only show up if a GitHub enterprise server is configured). | |||
| - Key: click add, paste the contents of the converted private key | |||
| - Passphrase: do not fill this field, it will be ignored | |||
| - Advanced: (optional) If you've installed your same GitHub app on multiple organisations you need the next step | |||
| * Owner: the name of the organisation or user, i.e. jenkinsci for https://github.com/jenkinsci | |||
There was a problem hiding this comment.
So under this approach you cannot reuse the Jenkins credentials object across orgs, and you need to duplicate the private key. Not as smooth as having Jenkins figure out which installation to work with, but better than nothing, right?
There was a problem hiding this comment.
yeah I couldn't see a way to do that, as we don't have the context from the build job at all
There was a problem hiding this comment.
Right, it would be a more intrusive patch since you would need to do something along the lines of defining a thread-local org and setting this from a new overload of Connector.connect which passes a repoOwner and then switching as many callers as possible to the new overload. Not sure it is worth the effort since I presume the common case is for the Jenkins installation to be used on only a single org.
There was a problem hiding this comment.
Not sure it is worth the effort since I presume the common case is for the Jenkins installation to be used on only a single org.
What about for GitHub Enterprise? It doesn't seem to be possible to install an app at the Enterprise level. My Jenkins instance works on repos across many organizations in a GitHub Enterprise instance.
There was a problem hiding this comment.
I do not have GHE to test against but in that case with the current patch you would need to first install the app in each such org, then create a separate Jenkins credentials item for each installation.
There was a problem hiding this comment.
Yes, those were all public repos.
is there any way that we can get this owner based on the job config as it would already have the github repo information ?
There was a problem hiding this comment.
The credential isn’t tied to a job it’s independent, not safely, there may be some possible hacks to do it though
There was a problem hiding this comment.
My company uses Jenkins in a similar fashion as the company described by @nrayapati.
We deployed a single jenkins GitHub App that may be installed by any organization on our GHE instance. There are several hundred such organizations.
We allow our engineers to create jobs as needed within their own Jenkins folders and leverage the single GitHub App Credential.
Since any engineer can install our GitHub App on their organization, and any engineer can create an organization, we would be in the situation of needing to create a Credential for every organization as it's created.
I, too, would like to see support for a single global Credential to work for jobs across multiple organizations.
@nrayapati can you please file a Jira ticket (As this PR has already been merged and released) so that we can centralize the discussion about this use case on that ticket?
There was a problem hiding this comment.
There was a problem hiding this comment.
Can we just use the org name in repo instead of the org name in credential config?
Co-Authored-By: Liam Newman <[email protected]>
|
|
||
| ) { | ||
| GitHubAppCredentials gitHubAppCredential = new GitHubAppCredentials( | ||
| CredentialsScope.GLOBAL, "test-id-not-being-saved", null, | ||
| appID, Secret.fromString(privateKey) | ||
| ); | ||
| gitHubAppCredential.setApiUri(apiUri); | ||
| gitHubAppCredential.setOwner(owner); |
There was a problem hiding this comment.
Commenting here since the CredentialsScope.GLOBAL part is just above this:
Do you know if it's possible to use system scope credentials with the branch source plugin? One issue we ran into with our credentials plugin was making the credentials for an org only available to the builds within that org.
There was a problem hiding this comment.
It is not possible to use system scope credentials, but you can define credentials on an org folder so they are not accessible outside that folder.
|
What the...? Not sure why these tests started failing. |
src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials.java
Outdated
Show resolved
Hide resolved
| } | ||
| GHAppInstallation appInstallation; | ||
| if (appInstallations.size() == 1) { | ||
| appInstallation = appInstallations.get(0); |
There was a problem hiding this comment.
I get that, I am just saying that in case you did specify an owner, and there is exactly one installation, we are not verifying that the installation is in fact from that owner. Which feels wrong.
...in/resources/org/jenkinsci/plugins/github_branch_source/GitHubAppCredentials/help-owner.html
Outdated
Show resolved
Hide resolved
…bAppCredentials.java Co-Authored-By: Jesse Glick <[email protected]>
…GitHubAppCredentials/help-owner.html Co-Authored-By: Jesse Glick <[email protected]>
…ithub.com:timja/github-branch-source-plugin into allow-github-app-to-be-installed-in-multiple-orgs
| @@ -87,7 +87,8 @@ Fill out the form: | |||
| - App ID: the github app ID, it can be found in the 'About' section of your GitHub app in the general tab. | |||
| - API endpoint (optional, only required for GitHub enterprise this will only show up if a GitHub enterprise server is configured). | |||
| - Key: click add, paste the contents of the converted private key | |||
| - Passphrase: do not fill this field, it will be ignored | |||
| - Advanced: (optional) If you've installed your same GitHub app on multiple organisations you need the next step | |||
| * Owner: the name of the organisation or user, i.e. jenkinsci for https://github.com/jenkinsci | |||
possibly but I copied the text that is used for it when configuring it in a pipeline organisation, the help text and docs explain it better |
|
Sorry for making a comment on this closed PR: but I had to make a comment here. Let me know your thoughts, I can log a JIRA with more details. Thank you! |
Description
See #269 (comment)
To test it you need multiple organisation, ideally with private repos on both as public repos can be read even if haven't granted access, install the app to both organisations and follow the steps in the documentation
Submitter checklist
Reviewer checklist
Documentation changes
doc is in the repo
Users/aliases to notify
@jglick @bitwiseman @dwnusbaum