Using GitHub app authentication for our Jenkins

[olamy]

Hi,
Currently, our Jenkins is using personal credentials to access jetty org repos.
To avoid using too much of the GH rate limit of a single user.
See documentation here: https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc

Not sure how to process with that as it will require exchange of the key between you and us.

[jmcc0nn3ll]

@netomi We should be able to work this out, right? Using personal keys for something like this has been a security concern for us for some time.

[olamy]

Maybe a possible option is to create an app here https://github.com/jetty-project and install it in the jetty org?
The app will require write access only to Checks and Commit Statuses. Other than that it's read access only

[netomi]

If you are able to create an app to create tokens on demand, it would be a quite neat solution, however I am not sure how these tokens will be used / provide to Jenkins, they might need to be set statically.

We can create tokens for project and provision it automatically to jenkins for our own hosted jenkins instances. In your case you are using a self-hosted jenkins, so you will need to retrieve that token via a secure channel.

Can you chime in here @fredg02 if this would be a possibility?

[olamy]

@netomi I have just created a github app called Webtide Jenkins owned by https://github.com/organizations/jetty-project and requesting some access to jetty org.
Will that work for you?
sounds very similar to what has been setup here #31

[netomi]

looks perfectly fine for me, accepted the request.

[jmcc0nn3ll]

In the long term, I think we would like to retire that 'jetty-project' organization since it now clashes with the 'jetty' organization. Since Eclipse now allows us to bring over codebases like the old Jetty6 repository and archive it there is little reason to keep that other organization around. It was meant for things we couldn't lose track of.

[fredg02]

Can you chime in here @fredg02 if this would be a possibility?

We have set up GitHub apps for integration with Jenkins before. Since it's a manual process, we have not rolled this out for all our projects. In general, we prefer to set this up for projects, but Jetty is... special and using their own Jenkins instance.

[olamy]

i have been trying the app we created and been installed in jetty org.
Sadly the Jenkins plugin is blocking app not from the org of the git repository.
That's a bit weird as the target org authorize and so perfectly knows the type of authz requested by the app.
I may propose a patch to the Jenkins plugin.

@fredg02 would you have any other easy way to do it? I can imagine you created the GH App (with limited karma such only write for checks and status) in jetty org and install it but you will need to give us the key file (well that's a GH app with very limited authz)
or maybe do you have other way to do it?

[netomi]

we just had a similar request from another project where we created a GitHub App that is owned by the owner of the organization: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/3933 and shared the private keys with the project afterwards.

Could you also create a HelpDesk ticket to discuss that there?

[olamy]

FTR I have fixed an issue on Jenkins side to be able to use our GH App (jenkinsci/github-branch-source-plugin#744)
In the future I think as @jmcc0nn3ll mentioned, we will use a GH App coming from Webtide org.

[netomi]

If you plan to use the GitHub App there should be no need anymore for the webhooks that are currently defined for some repos as they trigger the same endpoint on the webtide jenkins instance afaict. Otherwise the jenkins instance would receive the same events twice?

[olamy]

I'm not quite sure, as it may depend on the events the app has subscribed to.
currently we have this so not sure if we will received code change events.

[netomi]

fair enough, in this case, the additional webhooks are required.