|
| 1 | += GitHub app authentication guide |
| 2 | + |
| 3 | +This guide is targeted to users who want to use a link:https://developer.github.com/v3/apps/[GitHub app] |
| 4 | +to authenticate to Jenkins. |
| 5 | + |
| 6 | +== Why? |
| 7 | + |
| 8 | +- the link:https://developer.github.com/apps/building-github-apps/understanding-rate-limits-for-github-apps/[rate limit] |
| 9 | +for a GitHub app scales with your organization size, whereas a user based token has a limit of 5000 regardless of |
| 10 | +how many repositories you have, |
| 11 | +- for organization's that have 2fa enforced - no need to manage 2fa tokens for a 'bot' user |
| 12 | +- to improve and tighten security: the Jenkins GitHub app requires a minimum, controlled set of privileges compared to a service user and its personal access token which has a much wider set of privileges |
| 13 | + |
| 14 | +== Getting started |
| 15 | + |
| 16 | +Before you get started make sure you have the required permissions: |
| 17 | + |
| 18 | +=== GitHub |
| 19 | + |
| 20 | +You'll need the permission to create a GitHub app, if you're creating it on a personal account then you can skip this section, |
| 21 | +otherwise: |
| 22 | + |
| 23 | +- organization owner |
| 24 | + |
| 25 | +or |
| 26 | + |
| 27 | +- permission to manage GitHub apps has been |
| 28 | +link:https://help.github.com/en/github/setting-up-and-managing-organizations-and-teams/adding-github-app-managers-in-your-organization[delegated to you]. |
| 29 | + |
| 30 | +=== Jenkins |
| 31 | + |
| 32 | +You'll need the permission to create a new credential and update job configuration, the specific permissions are: |
| 33 | + |
| 34 | +- Credentials/Create |
| 35 | +- Job/Configure |
| 36 | + |
| 37 | +== Creating the GitHub app |
| 38 | + |
| 39 | +link:https://developer.github.com/apps/building-github-apps/creating-a-github-app/[Follow the GitHub guide for creating an app] |
| 40 | + |
| 41 | +The only fields you need to fill out (currently) are: |
| 42 | + |
| 43 | +- Github App name - i.e. `Jenkins - <team name>` |
| 44 | +- Homepage URL - your company domain or a github repository |
| 45 | +- Webhook URL - your jenkins instance, i.e. `https://<jenkins-host>/github-webhook/` |
| 46 | + |
| 47 | +Permissions this plugin uses: |
| 48 | + |
| 49 | +- Commit statuses - Read and Write |
| 50 | +- Contents: Read-only (to read the `Jenkinsfile` and the repository content during `git fetch`). You may need "Read & write" to update the repository such as tagging releases |
| 51 | +- Metadata: Read-only |
| 52 | +- Pull requests: Read-only |
| 53 | +- Webhooks (optional) - If you want the plugin to manage webhooks for you, Read and Write |
| 54 | + |
| 55 | + |
| 56 | +Click 'Create GitHub app' |
| 57 | + |
| 58 | +You now need to generate a private key authenticating to the GitHub app |
| 59 | + |
| 60 | +Click the 'generate a private key' option. |
| 61 | + |
| 62 | +After a couple of seconds the key will be downloaded to your downloads folder. |
| 63 | + |
| 64 | +Now you need to convert the key into a different format that Jenkins can use: |
| 65 | + |
| 66 | +[source,shell] |
| 67 | +---- |
| 68 | +openssl pkcs8 -topk8 -inform PEM -outform PEM -in key-in-your-downloads-folder.pem -out converted-github-app.pem -nocrypt |
| 69 | +---- |
| 70 | + |
| 71 | +== Install the GitHub app |
| 72 | + |
| 73 | +- From the install app section of newly created app, install the app to your organization. |
| 74 | + |
| 75 | +== Adding the Jenkins credential |
| 76 | + |
| 77 | +=== UI |
| 78 | + |
| 79 | +- From the Jenkins main page click 'Credentials' |
| 80 | +- Pick your credential store, normally `(global)` |
| 81 | +- Click 'Add credentials' |
| 82 | + |
| 83 | +Fill out the form: |
| 84 | + |
| 85 | +- Kind: GitHub app |
| 86 | +- ID: i.e. github-app-<team-name> |
| 87 | +- App ID: the github app ID, it can be found in the 'About' section of your GitHub app in the general tab. |
| 88 | +- API endpoint (optional, only required for GitHub enterprise this will only show up if a GitHub enterprise server is configured). |
| 89 | +- Key: click add, paste the contents of the converted private key |
| 90 | +- Passphrase: do not fill this field, it will be ignored |
| 91 | +- Click OK |
| 92 | + |
| 93 | +=== link:https://github.com/jenkinsci/configuration-as-code-plugin[Configuration as Code Plugin] |
| 94 | + |
| 95 | +[source,yaml] |
| 96 | +---- |
| 97 | +credentials: |
| 98 | + system: |
| 99 | + domainCredentials: |
| 100 | + - credentials: |
| 101 | + - gitHubApp: |
| 102 | + appID: "1111" |
| 103 | + description: "GitHub app" |
| 104 | + id: "github-app" |
| 105 | + # apiUri: https://my-custom-github-enterprise.com/api/v3 # optional only required for GitHub enterprise |
| 106 | + privateKey: "${GITHUB_APP_KEY}" |
| 107 | +---- |
| 108 | + |
| 109 | +== Configuring the github organization folder |
| 110 | + |
| 111 | +See the link:https://docs.cloudbees.com/docs/admin-resources/latest/plugins/github-branch-source[main documentation] |
| 112 | +for how to create a GitHub folder. |
| 113 | + |
| 114 | +- Load the folders configuration page |
| 115 | +- Select the GitHub app credentials in the 'Credentials field drop down |
| 116 | +- If you are using GitHub enterprise make sure the API url is set to your server, |
| 117 | +(note you currently need to set the API url on both the credential and the job). |
| 118 | + |
| 119 | +After selecting the credential you should see: |
| 120 | + |
| 121 | +[quote] |
| 122 | +---- |
| 123 | +GHApp verified, remaining rate limit: 5000 |
| 124 | +---- |
| 125 | + |
| 126 | +- Click save |
| 127 | +- Click 'Scan organization now' |
| 128 | +- Click 'Scan organisation log' |
| 129 | + |
| 130 | +Verify at the bottom of the scan log it says: |
| 131 | + |
| 132 | +[quote] |
| 133 | +---- |
| 134 | +Finished: SUCCESS |
| 135 | +---- |
| 136 | + |
| 137 | +=== Help? |
| 138 | + |
| 139 | +Raise an issue on link:https://issues.jenkins-ci.org/[Jenkins jira] |
| 140 | +setting the 'component' to be `github-brance-source-plugin` |
0 commit comments