My Github account has two factor authorization (2fa) enabled. I want to integrate Jenkins with a few of my private repositories, but I cannot authorize them because I have 2fa enabled. Note this is a multibranch pipeline project.
Any ideas how to configure Jenkins to connect with private repos without creating a dummy account that does not have 2fa enabled?
Whoever would have thought to click the help button?
Credentials used to scan branches and pull requests, check out sources and mark commit statuses.
If none is given, only the public repositories will be scanned, and commit status will not be set on GitHub.
If your organization contains private repositories, then you need to specify a credential from an user who have access to those repositories.
This is done by creating a "username with password" credential where the password is GitHub personal access tokens. The necessary scope is "repo"
ie use a Github personal access token as your password when using username/password for your Jenkins credential.
Related
I'm the admin in a GitHub repository and I've added a collaborator, this collaborator needs to pull the repository and the system asks the access token.
How can a collaborator download a GitHub repository and how I create an access token for them?
I've found the solution, basically the collaborator needs to create an access token and then clone the repository, when prompted for Username, fill the username and when prompted for password you need to put the access token (not the password).
You do not need to provide them an access token. Assuming your repository is private, the collaborator needs to authenticate to GitHub when pulling (and when pushing even if the repository is public). The should do that by setting up their own account appropriately.
That can be by using their own personal access token as the password when prompted for the username and password over HTTPS, which they can create in the settings page, or they can create an SSH key and upload the public part to GitHub, and then use SSH to clone from or push to the repository.
The collaborater can clone the repo to their terminal using their own personal access token.
I need to create documentation giving instructions to generate a Personal Access Token that will only need to create Pull Requests on Github.
I've read the documentation describing the various OAuth scopes, but it is still not clear to me which OAuth scope(s) I need to select in order to be able create a Pull Request.
What OAuth scope(s) need to be selected for users to be able to create Pull Requests?
From https://docs.github.com/en/rest/reference/pulls#create-a-pull-request:
To open or update a pull request in a public repository, you must have write access to the head or the source branch. For organization-owned repositories, you must be a member of the organization that owns the repository to open or update a pull request.
The repos scope should be needed.
And, with the GitHub CLI gh v2.22.0 (Jan. 2023), you can search from within your local cloned GitHub repository:
See gh auth status --show-token: it will display the auth token you are using.
After a quick internet search I couldn't seem to find an easy way for my Azure Pipeline to write a custom comment back to the PR that triggered it. Is this possible? Does it require a PAT? I can't use any solution that requires exposing a PAT to a external PR, as they could then easily exfiltrate it.
Sure, you can add comments to the PR on GitHub from Azure pipelines. You can use the GitHub Comment task in your pipeline to easily write comments to the GitHub PR.
With this task, you also need to create a GitHub service connection, or a GitHub Enterprise Server service connection if your repository is hosted on GitHub Enterprise Server, for use on the task.
When creating the GitHub (or GitHub Enterprise Server) service connection, you can choose an authorization method from the optional.
GitHub service connection -- Grant authorization or Personal Access Token
GitHub Enterprise Server service connection -- Personal Access Token, Username and Password or OAuth2
So, a GitHub PAT is not required if the authorization method you choose is not Personal Access Token.
[UPDATE]
If you are worrying about that the service connection would be abused by someone to attack your source code repository, you can do the following things:
On GitHub, you can create a PAT, and limit the permission scopes of this PAT. More details, see "Creating a personal access token".
On Azure DevOps, you can choose Personal Access Token as the authorization method on the service connection, and fill with the PAT that you created in above step. Then you can limit which users, teams and groups, even which pipelines, can use the service connection in the project. More details, you can see "Secure a service connection".
I just created a new organization for my team on Azure DevOps. I wanted to activated the git access through username/password to begin with(for multiple reasons: We use Https, so no ssh certificate, and I've no idea how to use PAT with our current git client(sourcetree)).
Currently, when I go in my settings on "Alternate credentials", I get this:
But I've been into the organization page and I cannot find this settings? How can I enable it?
But I've been into the organization page and I cannot find this
settings? How can I enable it?
You can't enable that, the Alternate authentication credentials setting has been removed from Organization settings=>Policies for newly created organizations. Check the blog shared above in Michael's answer.
I've no idea how to use PAT with our current git client.
It's recommended to use PAT instead since you have no SSH certificate. Here're samples about how to use git+pat without pop-up window for credentials (Useful when you're running the commands in pipeline, since you can't enter credentials if there's pop-up window):
1.You can generate Git credentials to get temp username and password, and then use format:
git clone https://UserName:Password#dev.azure.com/OrgName/ProjectName/_git/RepoName
2.You can create a limited PAT(more secure then Full access) and use command:
git clone https://anything:{yourPAT}#dev.azure.com/OrgName/ProjectName/_git/RepoName
Same format when using git push...
Also you can clone the repo with git clone + URL from this button. Per my experience, it will prompt for credentials and save the credentials in local machine.
For Source Tree:
Url: https://OrganizationName.visualstudio.com
userName: The email address of your azure devops account
password: PAT
Enter correct URL format, click the refresh PAT button and enter the email as username, PAT as password. The authentication succeeds in my source tree for windows.
Looks like effective March 2, 2020 Alternate Credentials are no longer supported. Organizations created before then can use them for a short time to transition to PATs. New organizations do not have that option. Source
From Microsoft DevBlog:
Deprecation Timeline
Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don’t have Alternate Credentials set. This change will be in effect for all these organizations by December 20, 2019.
In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure authentication method.
March 2, 2020 – Start gradually disabling Alternate Credentials for all Azure DevOps organizations.
Legacy Organizations
If you have a legacy organization, the option would appear under Organization Settings, Policies (under the Security subheading). The toggle is called "Alternate authentication credentials"
"I want to create a service connection using AzureDevOps with which we get access to only one particular repository. But when I Create service connection it will give access to all repositories present in one account"
I already tried creating a personal access token using Github. But GitHub doesn't allow to create public access token with limited repository access.
How can I generate a personal access token with limited repository access ??
When you create a new GitHub service connection, you can choose Personal Access Token like below.
Then visit https://github.com/settings/tokens to create personal access tokens and you can choose your expected scope.
In this time, I choose the public_repo scope, create the token, copy the token to Azure DevOps and create the new GitHub connection.
As you can see, there are five repositories in my GitHub, one is private and four are public.
Then in the build pipeline source, I just get the four public repositories and don’t get the private repository.