I'm building a Jenkins plugin that one of the features is to commit and push some files generated during the build. I already have the code to commit and to push (using Git client from org.jenkinsci.plugins), however when I execute
PushCommand push = gitClient.push();
push.ref(__MY_BRANCH__);
push.to(new URIish("origin"))
push.force();
push.execute();
I get an error not having permissions to push. So, my question is: how can I re-use the credentials of a project to proper configue gitClient or the pushCommand ?
--
Thanks,
Jose
You need to provide credentials to the GitClient.
For example, here you can see the Git plugin calling the GitClient#addDefaultCredentials() method, using credentials obtained from CredentialsMatchers.
You mention you want to re-use the credentials from the same job so — assuming that the Git plugin has been configured with those credentials — your plugin should have access to the AbstractBuild where you can use something like build.getProject().getScm().getUserRemoteConfigs().get(0).getCredentialsId to fetch the configured credentials ID.
You'll need to cast the SCM to GitSCM, but otherwise that should work fine.
Related
Just to quote as an example one can submit a remote-run with some tool like TeamCity (similar to Jenkins) where it will apply delta/patch on what user is trying to commit & produces result whether changes is good from set-of configured checks for that project.
With Github & Jenkins, can such validation be achieved with any plugins out there?, which will avoid breaking a build?
I know with pull-request & status check one can achieve similar end-result. But without commit/push to remote repo of Git - is there a way Jenkins can handle this validation & produce initial result ??
It isn't possible to have GitHub perform checks on data it doesn't have, so if you don't push the data to the remote server, GitHub won't know anything about it and therefore will do nothing.
Jenkins does have a REST API that you could use to do this, provided you equipped each developer with appropriate credentials. However, this is not a common situation and wouldn't be a recommended configuration.
You'd be better off with a script in the repository that users could install as a hook or invoke from a hook that would perform the testing you want. If your CI jobs run a script in your repository, then sharing code between them should be easy.
Note that you shouldn't mandate pre-commit hooks, since they can interfere with advanced users (who may make intentionally incomplete temporary commits) and they can be disabled by users. Any sort of required checks should be done as part of CI, where policy can be enforced appropriately.
I am using the GitHub pull request builder plugin in Jenkins to make pull requests on GitHub automatically trigger Jenkins jobs.
I am using GitHub Enterprise and when I try to get the values of environment vars ghprbActualCommitAuthor and ghprbActualCommitAuthorMail, I get incorrect values:
ghprbActualCommitAuthor : GitHub Enterprise
ghprbActualCommitAuthorEmail : noreply#github.***.com
Please help, thanks!
This behavior is seen in GitHub Enterprise when users commit changes directly using the web UI or they have not set their email addresses.
According to GHE support:
This is by design, since the commit is actually done by the GitHub Enterprise instance. This is because we do not impersonate users when creating commits.
You can fix this by ensuring that users make commits only through the Git clients using their own SSH credentials or Personal Access Tokens.
I'm trying to set up Jenkins Multi-branch pipelines to add status checks to my GitHub private org repos. Blue Ocean requires the bot-user to have write (maybe more) privileges, listed as so:
I would like to pull code, write status checks but not push code. Is there any combination/workaround that will enable this?
P.s. I'm not entirely confident in what each scope enables and what permission level of collaborator (read/write/admin) they need even though I've read the hyperlinked docs.
A personal access token grants a user API access at the same level of their permissions within GitHub, never greater. For example if the user has read access to a repo and the token is marked as "Full control" then they will still only have read access to that repo.
Writing a Status Check requires the user to have Write, Maintain or Admin permission to your repos as described in this page:
https://help.github.com/en/articles/repository-permission-levels-for-an-organization
Write, as the name suggests, grants push permission to your repo so you will need to think about how to proceed.
I assume you're using GitHub.com (rather than GitHub Enterprise) so would suggest the following:
Grant the bot-user write access to your repo
Create a team of users who require push access
Enable the branch restriction "Restrict who can push to this branch"
Add the newly created team you to the restriction
Set the "Branch name pattern" to *
https://help.github.com/en/articles/enabling-branch-restrictions
This will apply the restriction to all branches within your repo and prevent the user from pushing, but does not prevent the writing of status checks.
If you were using GitHub Enterprise I would consider a pre-receive hook to prevent the bot-user from being able to push code into your repos.
Mick
I'm looking for a way to automatically add +2 permissions for certain refs for a lot of projects in Gerrit and unfortunately it seems there are no API calls to modify access rights, only to read them. Do you have any idea how to modify refs permissions for a big amount of projects?
I'm using Gerrit 2.9.
Thanks.
One possibility would be to create a batch script to modify the project.config for those projects and commit them back to gerrit.
This is how you can checkout the project.config for the All-Projects, it works the same for other projects: http://blog.bruin.sg/2013/04/how-to-edit-the-project-config-for-all-projects-in-gerrit/
Simply put:
Create list of project you want to change
Iterate over the lest
Checkout the refs/meta/config ref
Use script to modify project.config
Commit and push back to the server
More information about the project.config: http://gerrit-review.googlesource.com/Documentation/config-project-config.html
Is there a way to use the credential store with the CVS plugin to access a CVS repository? Looking for a way to store credential once and have one place to change it, despite many jobs making use of it.
The CVS plugin doesn't use the credentials store directly (although there are potential plans to move to this in a future overhaul of the plugin), but it does have a concept of global credentials which should provide what you need. The reason for having something separate from global credentials was that CVS introduced this prior to the credentials plugin being available and the steps have never been taken to try and perform a migration.
To use this credential feature, ensure you have version 2.4 or above of the CVS plugin, goto your 'Manage Configuration' screen, scroll down to the CVS section and click the 'Add' button next to the 'Authentication' option. Once you've added any credentials in here, go back to the jobs you're wanting to use the global credentials on, check the CVS root matches what you put in the authentication section and that it doesn't contain a username and then run your job. When running, the console should then show 'Using globally configured credentials for...' when trying to connect to CVS.