In Bitbucket, you can publicly access files in a private repo via https://bytebucket.org/username/repo/raw/sha/filename?token=sometoken.
The link (including sometoken) can be generated by clicking the the Raw button in Bitbucket's file view.
I want to serve images in a wiki from this repository. Will this token ever expire?
Related
I have added global credentials in Jenkins.
However when I try to add then in my Pull Request builder plugin configuration, they don't seem available.
Any suggestions?
Using Jenkins 2.303.1
(the arrow on the left of the Add drop-down does not do anything)
The instructions in the GitHub pull request builder plugin documentation says that you need to "select Kind -> Secret text". Based on the icon in your credentials list, I think you have defined a credential type "Private key".
The pull request builder likely uses the GitHub API's to perform many of its operations. GitHub API's rely on a username and a personal access token. They generally do not support a private key as the credential.
Define a secret text credential as described in the online help.
I'm trying to set up Jenkins Multi-branch pipelines to add status checks to my GitHub private org repos. Blue Ocean requires the bot-user to have write (maybe more) privileges, listed as so:
I would like to pull code, write status checks but not push code. Is there any combination/workaround that will enable this?
P.s. I'm not entirely confident in what each scope enables and what permission level of collaborator (read/write/admin) they need even though I've read the hyperlinked docs.
A personal access token grants a user API access at the same level of their permissions within GitHub, never greater. For example if the user has read access to a repo and the token is marked as "Full control" then they will still only have read access to that repo.
Writing a Status Check requires the user to have Write, Maintain or Admin permission to your repos as described in this page:
https://help.github.com/en/articles/repository-permission-levels-for-an-organization
Write, as the name suggests, grants push permission to your repo so you will need to think about how to proceed.
I assume you're using GitHub.com (rather than GitHub Enterprise) so would suggest the following:
Grant the bot-user write access to your repo
Create a team of users who require push access
Enable the branch restriction "Restrict who can push to this branch"
Add the newly created team you to the restriction
Set the "Branch name pattern" to *
https://help.github.com/en/articles/enabling-branch-restrictions
This will apply the restriction to all branches within your repo and prevent the user from pushing, but does not prevent the writing of status checks.
If you were using GitHub Enterprise I would consider a pre-receive hook to prevent the bot-user from being able to push code into your repos.
Mick
We would like to use the GitHub Pull Request Builder plugin in Jenkins, however in order to use this plugin you are required to enter credentials in the 'Manage Jenkins > Configure System' section that gives access to a given GitHub Enterprise server.
Our issue is that credentials giving access to all of github are too strong to be stored in the credentials manager. I know that you can limit the scope of credentials by using the Folders plugin, however this just limits access to those credentials to jobs in certain folders. Is there a way to restrict credentials so they can only be used in the 'Manage Jenkins > Configure System' section?
Our issue is that credentials giving access to all of github are too strong to be stored in the credentials manager.
This is why you can also use a Personal Access Token. Check the documentation for the plugin at: https://go.cloudbees.com/docs/plugins/pull-request-builder-for-github/. This is not the official plugin page but having read both, this one keeps to the best practices in terms of credentials. The important bits are:
Go to your GitHub settings page.
In the left sidebar, click Personal Access Token.
Click Generate new token.
Give your token a descriptive name
Select the scopes to grant to this token. Pull request tester plugin require permission to administer repository hooks and access repositories: repo, public_repo, admin:repo_hook, repo:status.
Then you can follow the rest of the guide to enter the token in the plugin configuration pages.
Hope this helps.
I am creating files with a custom version number during the build that I want to be publicly available through http.
Assuming I am building the project "MyTestApp", I want the version number text file I created to be available at a location like http://jenkins.company/job/MyTestApp/revision.txt
Any idea how to achieve this?
David, this depends on what you mean by "publicly available". If your Jenkins instance is secured (jenkins.company/configureSecurity/), then access to artifacts requires that your http session be authenticated. If all users who need access have accounts on the Jenkins server, then you just need to use the post-build action "archive the artifacts", and your text file would be available here:
jenkins.company/job/MyTestApp/jobnumber/artifact/revision.txt
Or here:
jenkins.company/job/MyTestApp/lastSuccessfulBuild/artifact/revision.txt
See this screenshot: http://note.io/17oiykI
If you need unauthenticated access, you could publish your artifacts to another web server on the same or a different host. Or you could upload them to an Amazon S3 bucket.
Here is what I've done so far.
Grabbed the Repository URL from AppHarbor
In bitbucket, I configured the AppHarbor service to use that token.
For the project, I entered the same name of the application I used in AppHarbor (I have no idea what a slug is)
I saved the settings
I granted apphb read permissions in Access Management
I pushed to bitbucket. I even created a dummy changeset to make sure it would get a new push
In AppHarbor, I clicked on "Build URL" and it tells me that my URL was succesfully copied to the clipboard.
I followed the guide to the letter (well, with the exception of the slug, so I'm expceting that is the issue).
Steps to Follow and what gets filled in where:
On BitBucket:
Apphb needs read access to the repository (if it's private)
Go to admin
Add Service: AppHarbor
Token is the UglyValue from the "authorization=UglyValue" part of the build url
Project Name is the last part of the url when looking at that application on AppHarbor. So https://appharbor.com/applications/slug-is-here would use "slug-is-here"
Then you are good to go. You can get more complicated than that (like branches and whatnot) but that's the basic setup.