You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/github-app.adoc
+24-3Lines changed: 24 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -167,13 +167,34 @@ The following default permissions strategies are available:
167
167
* **All permissions available to the app installation** (default)
168
168
** The access tokens generated in untrusted contexts will have the same permissions as the app installation in GitHub
169
169
170
-
==== Repository access strategies and Pipeline libraries
170
+
==== Repository access strategies limitations
171
+
172
+
===== Jobs using plain Git
173
+
174
+
The inference-based modes for GitHub App Credentials are supported for Organization Folders and Multibranch Pipelines only. There are not supported in other contexts using plain Git such as:
175
+
* Pipeline script from SCM
176
+
* Standalone Pipeline
177
+
* Freestyle jobs
178
+
179
+
===== Pipeline libraries
180
+
181
+
Note that Pipeline libraries do not support inference, and will instead be inferred to have the same owner as the main SCM for the build itself. If the library's SCM is in a different repository than the build, you will not be able to use "Infer accessible repository" for the credentials used by the library.
182
+
183
+
If the library's SCM is in a different GitHub organization than the SCM for the build, you will also not be able to use "Infer owner and allow access to all owned repositories". To avoid these issues, you can configure the Pipeline library to use a credential with the "Specify accessible repositories" mode that allows access to the repository that contains the library itself.
171
184
172
-
Repository inference for GitHub App Credentials does not work when checking out Pipeline libraries.
173
-
If you have a GitHub App Credential for an Organization Folder or Multibranch Pipeline whose individual Pipeline jobs access a Pipeline library, the contextually inferred repository for the library checkout will be the repository for the Pipeline job rather than the library.
174
185
This means that the library will be inaccessible if you use an inference-based repository access strategy which only provides access to a single contextually-inferred repository, or if the Pipeline library is in a different GitHub organization than the repository being built.
186
+
175
187
For now, in this case, you either need to use a less restrictive strategy for the GitHub App credential, such as "Infer owner and allow access to all owned repositories", or you can define a second credential specifically for the Pipeline library which uses "Specify accessible repositories" and only allows access to the repository for the Pipeline library.
176
188
189
+
==== Backwards compatibility
190
+
191
+
[IMPORTANT]
192
+
The new configuration options are not fully backwards compatible.
193
+
194
+
For existing GitHub App credentials which do not have the owner field set, the migration to the new format is not fully compatible. These credentials migrate to the “Infer owner and allow access to all owned repositories” mode described in the documentation, which means that they will only work in contexts where the owner can be inferred, such as Organization Folders and Multibranch Pipelines.
195
+
196
+
If you are using the credentials in a context where inference is not supported, you will need to reconfigure these credentials to use the “Specify accessible repositories” mode instead, specifying the appropriate owner (or leaving it blank if the app is installed in a single GitHub organization).
197
+
177
198
=== Help?
178
199
179
200
Raise an issue on link:https://issues.jenkins-ci.org/[Jenkins jira]
0 commit comments