GitHub App authentication on ci.jenkins.io

47 views
Skip to first unread message

Oleg Nenashev

unread,
Jul 30, 2020, 5:18:23 AM7/30/20
to Jenkins Infrastructure
Hi all,

As discussed at the previous Infra team meeting, we went ahead and created a new GitHub App for ci.jenkins.io. The process is well described in this blogpost by Tim. Usage of GitHub apps gives us higher rate limits (5000 -> 12000) and also gives us access to some GitHub APIs: Checks, Deployments, etc. We have also set up fine-grain permissions instead of the wide jenkinsadmin access we ad before. This app is currently configured in multiple org folders including the Jenkins Core and tools. Feedback will be appreciated.

Remaining action items for GitHub App Authentication:
  • Plugins folder - needs +1s from other members
  • Infra folder - We need to install the app on jenkins-infra and to grant it access to the same repositories as the Jenkins Admin bot. We should not enable it globally there
  • Stapler folder -  We need to add the ci.jenkins.io app to the Stapler GitHub organization. Olivier and Daniel have admin permissions there
  • Reporting folder - Jobs there have no authentication at all, not sure whether they hit rate limits and need updates. Would appreciate feedback from Daniel and Wadeck
  • Documentation... PR is ready for review: https://github.com/jenkins-infra/documentation/pull/10 
Future steps:
  • Once we install the GitHub Checks API plugin and the new Warnings NG version, plugin developers will see static analysis checks in UI. See the yesterday's GSoC project demo by Kezhi here
  • Incrementals publishing steps will ideally need an update to use GitHub Checks or Deployments API so that we do not longer use the GitHub bot for it
  • Switch other Jenkins instance to GitHub app authentication?
Best regards,
Oleg

timja...@gmail.com

unread,
Jul 30, 2020, 10:10:24 AM7/30/20
to Jenkins Infrastructure
Thanks for the update.

My +1 for plugins folder

Thanks
Tim

Mark Waite

unread,
Jul 30, 2020, 10:38:38 AM7/30/20
to jenkin...@googlegroups.com
+1 from me as well for adding the plugins folder.  Thanks very much for doing this!

--
You received this message because you are subscribed to the Google Groups "Jenkins Infrastructure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkins-infr...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/jenkins-infra/2862e55c-3ab7-44d4-8c65-7884a113f117n%40googlegroups.com.

Gavin Mogan

unread,
Jul 30, 2020, 12:01:15 PM7/30/20
to Jenkins Infrastructure
Is there any reason not to do the plugins folder? I mean it's +1 from me because I can't think of a reason not to

Oleg Nenashev

unread,
Jul 30, 2020, 12:48:57 PM7/30/20
to jenkin...@googlegroups.com
No particular reason, everything works like a charm.
I will switch the plugin directory credentials tomorrow if there is no negative feedback.


Jesse Glick

unread,
Jul 30, 2020, 4:30:46 PM7/30/20
to jenkin...@googlegroups.com
On Thu, Jul 30, 2020 at 5:18 AM Oleg Nenashev <o.v.ne...@gmail.com> wrote:
> Incrementals publishing steps will ideally need an update to use GitHub Checks or Deployments API so that we do not longer use the GitHub bot for it

Could use Checks, or just continue to use the old commit status API.
Either way, the point is that the incrementals publisher tool needs to
be tweaked to use App authentication rather than a PAT:

https://github.com/jenkins-infra/community-functions/blob/7c8537a68872ac5c07a653b031e1ba36bca0b32e/incrementals-publisher/lib/github.js#L8-L16

I could help propose a code patch, but I have no good way of testing
that. App authentication is unfortunately complex, since you need to
create a JWT and get a specific token for the installation, so there
is some scripting needed.
Reply all
Reply to author
Forward
0 new messages