Jenkins release pipeline for Github - github

I have a Jenkins pipeline job to make a release. It uses the Jenkin's Github plugin to checkout the project and make a build.
My simplified DSL is:
multibranchPipelineJob('Release') {
...
branchSources {
branchSource {
source {
github {
id('AAA')
repoOwner('BBB')
repository('CCC')
credentialsId('github-credentials')
repositoryUrl('https://github.com/BBB/CCC')
configuredByUrl(false)
}
}
...
}
}
...
}
and my simplified 'Jenkinsfile' is like:
pipeline {
agent any
stages {
stage('Build & Release') {
steps {
sh "./gradlew clean build release"
}
}
}
}
But, when it tries to execute the release task, it fails with the following exception.
Caused by: org.eclipse.jgit.errors.TransportException: https://github.com/BBB/CCC.git: Authentication is required but no CredentialsProvider has been registered
at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:531)
at org.eclipse.jgit.transport.TransportHttp.openPush(TransportHttp.java:434)
at org.eclipse.jgit.transport.PushProcess.execute(PushProcess.java:127)
at org.eclipse.jgit.transport.Transport.push(Transport.java:1335)
at org.eclipse.jgit.api.PushCommand.call(PushCommand.java:137)
My understanding is that when release task is run, it tries to connect using SSH to Github, but I haven't setup one as we don't want to maintain a 'user' for Jenkins on Github. How can I resolve this without setting up SSH keys on Github?

You need to make sure you have proper credential set in the Jenkins system config page.
As seen in the documentation, register a PAT (Personal Access Token) stored in Jenkins through the Jenkins Credentials plugin.
Then convert it to a username/password using the GitHub plugin:
Go to the global configuration and add GitHub Server Config.
Go to Advanced -> Manage Additional GitHub Actions -> Convert Login and Password to token

Related

"Default" project-named Repo deletion by terraform in code

I would like to have only my "defined" repository with resource "azuredevops_git_repository" [MyRepo] and not have the system generated one uninitalized with project name [MyProject], is it possible somehow on code level ?
Provider : Terraform-azuredevops
https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/git_repository
resource "azuredevops_git_repository" "repo" {
project_id = azuredevops_project.project.id
name = "MyRepo"
default_branch = "refs/heads/develop"
initialization {
init_type = "Clean"
}
lifecycle {
ignore_changes = [
initialization,
]
}
}
resource "azuredevops_project" "project" {
name = "MyProject"
description = "MyDescription"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
}
Could you please help me to find and elaborate on this answer ?
Thank you in advance,
After I deleted the default repository from the Web UI of Azure DevOps, Terraform did not indicated any change on the code level, So I can not understand how can I prevent the "default" repository creation on code level e.g. by the resource "azuredevops_git_repository" or the project definition
as my knowledge, the Terraform-Azure DevOps provider can be used to configure Azure DevOps project in Microsoft Azure using Azure DevOps Service REST API.
For the create project rest api, there isn't a parameter to change the default repo name.
Thus here are two ways for your reference:
1.After creating a new project->do your shown 'create defined name repo' step, you could call corresponding delete repo rest api to delete the default repo (since a project needs at least one repo exists).
2.After creating a new project, you could directly rename the default repo by calling the rest api update repo.
I hope it could do some help.

Terraform Git Clone does not seems to work with GITHUB_TOKEN but works when used a PAT

I am adding a Github actions workflow to execute terraform commands as part of the pipeline.
The terraform code refers refer to terraform modules from another repo as follows.
module <moduleName> {
source = "git::git#github.com:<orgName>/<moduleRepo>.git//<modulePath>?ref=<moduleTag>"
...
}
This will lead to fetching the code from given tag during terraform init command execution.
To ensure that https url is used instead of SSH git url. I am overriding the git config url as follows.
git config --global url."https://oauth2:$GITHUB_TOKEN#github.com/<orgName>/<moduleRepo>.git".insteadOf "ssh://git#github.com/<orgName>/<moduleRepo>.git"
But GITHUB_TOKEN does not allow git clone and this fails with the following error:
remote: Invalid username or password.
fatal: Authentication failed for
'https://github.com/<repoName>/<moduleRepo>.git/'
I also tried adding permission to the workflow for repositories as follows:
permissions:
repository-projects: read
The repo setting for action is set to : Allow all actions and reusable workflows
If I change the GITHUB_TOKEN with my PAT with repo permissions, then the workflow works without any issues.
Please let me know how to configure GITHUT_TOKEN with required permissions. I want to make it work with GITHUB_TOKEN rather than PAT.
Eventually I was able to figure out the issue. The GITHUB_TOKEN is made available to the Github Action workflow as a secret and not as an environment variable.
The issue was I was treating it as an environment variable and using it as such, which lead to the error.
I changed the workflow as follows to use it as a secret.
jobs:
<jobName>:
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
I updated the git config as follows to use the token properly:
git config --global url."https://oauth2:$GH_TOKEN#github.com/<orgName>/<moduleRepo>.git".insteadOf "ssh://git#github.com/<orgName>/<moduleRepo>.git"
The workflow now seems to work properly.
The usage is documented here: https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api#authentication-example-for-github-actions
Adding my answer here to help others facing similar issue.

Jenkins pipeline unable to connect to github PRIVATE repository

Pulled latest jenkins image in docker. Followed the steps of jenkins io. Jenkins runs fine, I am able to create builds which checkout git repos.
What doesn't seem to work, is to create a pipeline for a PRIVATE github repo. The documentation states:
create access token in github [OK]
use it to authenticate [OK]
choose company/project [OK]
choose multibranch repo [OK]
create pipeline [fails]
The wizard complains about that there is no existing Jenkinsfile in my repo. That's incorrect. I do have a Jenkinsfile, which is correct (generated by blueocean too). So I guess the fact the blueocean complains about missing Jenkinsfile is related to not being able to find the project/branches in github. Something with credentials no longer working?
Also, when I follow the steps and try to manually create the pipeline:
Again, a strange error message, again I guess related to something which is broken in credential management, either in jenkins <-> github, or blueocean <-> github.
Last, when I open the build (=pipeline) from jenkins dashboard, I can click on Scan repository log which at least states the error clearly.
ERROR: [Mon Jul 11 12:43:07 UTC 2022] Could not update folder level actions from source blueocean
[Mon Jul 11 12:43:07 UTC 2022] Finished branch indexing. Indexing took 0.23 sec
FATAL: Invalid scan credentials when using anonymous access to connect to basprins/unode on https://api.github.com
Finished: FAILURE
Again, the Personal Access Token is good. I created one with ALL scopes enabled (max rights in my repo) just to be sure nothing is left unchecked. It is "good enough" to login and checkout the branch. It seems to fail with actually creating the pipeline. I have no clue what else can be wrong on my side.
I tried any combination of username/password (legacy email address username + legacy password, or my github username + personal access token, and all 4 possible combinations of the two username/password pairs). Nothing gives.
Is there anybody that can confirm (or deny?) that above is possible, or would be willing to reproduce it on your side? It's an no-brainer docker setup. All you need to create is some temporary PRIVATE github.
Looking forward to an actual answer!
I had the same error and it seems like the jenkins credentials for the personal access token are not getting created automatically. This is how you can check if your issue is the same as mine:
Open the configuration of the multibranch pipeline.
Go to branch sources and then check if there is a name in the dropdown for credentials.
If there is no name then it's the same issue.
The following is what I did to fix it:
Click on Add and create a credential with the following values:
Kind: Choose the option username and password.
username: Enter the github username.
password: Enter the api token you created.
Create the credential by clicking on add.
Choose the credential in the dropdown credentials and save the configuration.
Go to the overview page for the multibranch pipeline (in the old jenkins, not blueocean) and click on Scan repository now to run the scan again with working credentials.
The error should now be resolved.

Authentication to access other parts of Azure DevOps within a custom task

I want to create a Azure DevOps custom task that accesses other parts of Azure DevOps. Specifically, I want to create a custom task that adds a comment to a PR.
Unfortunately, I can't figure out how to authenticate properly. I found this code and added it to my task:
let token: string = tl.getEndpointAuthorizationParameter("SYSTEMVSSCONNECTION", "AccessToken", false);
let collectionUrl: string = tl.getEndpointUrl("SYSTEMVSSCONNECTION", false).replace(".vsrm.visualstudio.com", ".visualstudio.com");
let authHandler = token.length === 52 ? vsts.getPersonalAccessTokenHandler(token) : vsts.getBearerHandler(token);
let connection = new vsts.WebApi(collectionUrl, authHandler);
but I get the error:
TF401027: You need the Git 'PullRequestContribute' permission to perform this action. Details: identity 'Build\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX', scope 'repository'.
I verified that the build service should have the correct permissions:
I've also tried checking the box "Allow scripts to access the OAuth token" in the Job settings, but that had no effect.
What am I missing?
You need to give permissions to the build users:
In Microsoft hosted agent is "Build Service (user-name)" and "Project Collection Build Service (Project)" (Sometimes the last only show up if you type the UUID (8837...) on "Search for user or groups".)
Can be found in project settings > repositories > permissions
I think you should use the "System.AccessToken" variable to get the token:
tl.getVariable('System.AccessToken');
Predefined build variables - System.AccessToken
I use that in my build task: https://github.com/ashamrai/AzureDevOpsExtensions/blob/master/CustomBuildTask/NewWICustomTask/index.ts

Push Docker Repository to Dockerhub with Jenkins

we want to push an docker repository to DockerHub - from the shell is works. But in Jenkins we get the error message "errorDetail":{"message":"unauthorized: access to the requested resource is not authorized"
I think the problem is that in shell (docker login) i have to insert the email adress, login and password. In Jenkins i can only set login and password NO email.
The version of credential plugin is 1.24 and we use docker-build-step for the docker steps.
thx
Can you have a try with the CloudBees Docker Build and Publish plugin?
This plugin allows to create a build step to build a Dockerfile and publish the image into a registry (DockerHub or a private registry):
Another solution is to open a session on your Jenkins machine with the jenkins user + login to DockerHub with the relevant credentials?
With this solution, the DockerHub credentials will be cached and Jenkins should be able to push your images to the DockerHub registry.
Maybe you can use Docker pipeline plugin (it comes in the recommended plugins).
Jenkinsfile example:
node {
checkout scm
def dockerImage
stage('Build image') {
dockerImage = docker.build("username/repository:tag")
}
stage('Push image') {
dockerImage.push()
}
}
Doing it this way, you must specify the credentials of the docker registry in the Pipeline Model Definition.
Docker pipeline plugin has problems applying the credentials assigned in Pipeline Model Definition to projects with Multi-branch pipeline. That is, if using the above code you continue to receive the error:
denied: requested access to the resource is denied
Then you must specify the credentials in the Jenkinsfile as follows:
node {
checkout scm
def dockerImage
stage('Build image') {
dockerImage = docker.build("username/repository:tag")
}
stage('Push image') {
docker.withRegistry('https://registry-1.docker.io/v2/', 'docker-hub-credentials') {
dockerImage.push()
}
}
}
You can modify the URL to a custom registry if you need it