[JENKINS-70984] Unable to clone repository when pr author has no push or admin permission

[jenkins-infra-bot]

After #527 was merged and https://issues.jenkins.io/browse/JENKINS-62220 was closed, I tried to change credential config and delete organization name config in credential setting, hoping the plugins can automatically set it during build.

 

At first it worked well, for repo that user has admin or push permission, everything worked, repo can be cloned, github checks can be published.

 

But if the pr author does not have admin or push permission.

 

Started by user 111
17:03:48 Connecting to https://github.intra.xxx.com/api/v3 using ghe github app sa-jenkins
Connecting to https://github.intra.xxx.com/api/v3 to check permissions of obtain list of xxx for playground/hello-world
Loading trusted files from base branch master at 6bafc2571f9e40ad62143bea3ea63f7b36c351c2 rather than 457c9f3248479a59364b08a5a8e4558859dd63ec
java.lang.IllegalArgumentException: Found multiple installations for GitHub app ID 9 but none match credential owner "". Set the right owner in the credential advanced options
	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.lambda$generateAppInstallationToken$1(GitHubAppCredentials.java:249)
	at java.base/java.util.Optional.orElseThrow(Optional.java:408)
	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:246)
	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:298)
	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getPassword(GitHubAppCredentials.java:327)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.createPasswordFile(CliGitAPIImpl.java:2453)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2067)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:623)
	at jenkins.plugins.git.GitSCMFileSystem$BuilderImpl.build(GitSCMFileSystem.java:451)
	at jenkins.scm.api.SCMFileSystem.of(SCMFileSystem.java:316)
	at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:104)
	at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:312)
	at hudson.model.ResourceController.execute(ResourceController.java:107)
	at hudson.model.Executor.run(Executor.java:449) 

I tried to ananlyse the backtrace but I cannot find anything valuable.

 

The build steps are as follows:
1. Create a build using the Multibranch plugin.
2. Determine the required builder based on the selected SCMSource and revision.
3. Call the build function of the selected builder.

There are two current issues:
1. Why was the build method within the GitHubSCMFileSystem in the Github-branch-source plugin not selected when choosing a builder, considering that this method can correctly select credentials?
2. Why does the branch build work correctly, or when the PR author has permission, the build works correctly? Is everything working correctly, or is there another reason?

The solution to the first issue could be to modify the git-plugin by changing the supports method and removing support for AbstractGitSCMSource objects (as shown in lines 274-275 of GitSCMFileSystem.java), theoretically allowing for correct selection of GitHubSCMFileSystem.

Regarding the second issue, I am unable to understand it. Upon reviewing the code, the paths taken for builds with or without permission for a PR are the same, and the SCM is also identical, with the only difference being the head revision.

 

---

Originally reported by leo_quote, imported from: Unable to clone repository when pr author has no push or admin permission

• status: Open
• priority: Minor
• component(s): git-client-plugin, github-branch-source-plugin
• label(s): pipeline, plugin
• resolution: Unresolved
• votes: 0
• watchers: 2
• imported: 2025-12-02

Raw content of original issue

After #527 was merged and https://issues.jenkins.io/browse/JENKINS-62220 was closed, I tried to change credential config and delete organization name config in credential setting, hoping the plugins can automatically set it during build.

 

At first it worked well, for repo that user has admin or push permission, everything worked, repo can be cloned, github checks can be published.

 

But if the pr author does not have admin or push permission.

 

Started by user 111
17:03:48 Connecting to https://github.intra.xxx.com/api/v3 using ghe github app sa-jenkins
Connecting to https://github.intra.xxx.com/api/v3 to check permissions of obtain list of xxx for playground/hello-world
Loading trusted files from base branch master at 6bafc2571f9e40ad62143bea3ea63f7b36c351c2 rather than 457c9f3248479a59364b08a5a8e4558859dd63ec
java.lang.IllegalArgumentException: Found multiple installations for GitHub app ID 9 but none match credential owner "". Set the right owner in the credential advanced options
	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.lambda$generateAppInstallationToken$1(GitHubAppCredentials.java:249)
	at java.base/java.util.Optional.orElseThrow(Optional.java:408)
	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.generateAppInstallationToken(GitHubAppCredentials.java:246)
	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getToken(GitHubAppCredentials.java:298)
	at org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials.getPassword(GitHubAppCredentials.java:327)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.createPasswordFile(CliGitAPIImpl.java:2453)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2067)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:623)
	at jenkins.plugins.git.GitSCMFileSystem$BuilderImpl.build(GitSCMFileSystem.java:451)
	at jenkins.scm.api.SCMFileSystem.of(SCMFileSystem.java:316)
	at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:104)
	at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:312)
	at hudson.model.ResourceController.execute(ResourceController.java:107)
	at hudson.model.Executor.run(Executor.java:449) 

I tried to ananlyse the backtrace but I cannot find anything valuable.
 
The build steps are as follows:
1. Create a build using the Multibranch plugin.
2. Determine the required builder based on the selected SCMSource and revision.
3. Call the build function of the selected builder.
There are two current issues:
1. Why was the build method within the GitHubSCMFileSystem in the Github-branch-source plugin not selected when choosing a builder, considering that this method can correctly select credentials?
2. Why does the branch build work correctly, or when the PR author has permission, the build works correctly? Is everything working correctly, or is there another reason?
The solution to the first issue could be to modify the git-plugin by changing the supports method and removing support for AbstractGitSCMSource objects (as shown in lines 274-275 of GitSCMFileSystem.java), theoretically allowing for correct selection of GitHubSCMFileSystem.
Regarding the second issue, I am unable to understand it. Upon reviewing the code, the paths taken for builds with or without permission for a PR are the same, and the SCM is also identical, with the only difference being the head revision.
 

environment

Jenkins: 2.375.3<br/>
OS: Linux - 5.10.0-19-amd64<br/>
Java: 11.0.18 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)<br/>
---<br/>
analysis-model-api:10.23.1<br/>
antisamy-markup-formatter:159.v25b_c67cd35fb_<br/>
apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5<br/>
authentication-tokens:1.4<br/>
aws-java-sdk:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-cloudformation:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-codebuild:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-ec2:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-ecr:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-ecs:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-efs:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-elasticbeanstalk:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-iam:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-logs:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-minimal:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-sns:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-sqs:1.12.406-374.v4cdf53953691<br/>
aws-java-sdk-ssm:1.12.406-374.v4cdf53953691<br/>
blueocean:1.27.3<br/>
blueocean-autofavorite:1.2.5<br/>
blueocean-bitbucket-pipeline:1.27.3<br/>
blueocean-commons:1.27.3<br/>
blueocean-config:1.27.3<br/>
blueocean-core-js:1.27.3<br/>
blueocean-dashboard:1.27.3<br/>
blueocean-display-url:2.4.1<br/>
blueocean-events:1.27.3<br/>
blueocean-git-pipeline:1.27.3<br/>
blueocean-github-pipeline:1.27.3<br/>
blueocean-i18n:1.27.3<br/>
blueocean-jira:1.27.3<br/>
blueocean-jwt:1.27.3<br/>
blueocean-personalization:1.27.3<br/>
blueocean-pipeline-api-impl:1.27.3<br/>
blueocean-pipeline-editor:1.27.3<br/>
blueocean-pipeline-scm-api:1.27.3<br/>
blueocean-rest:1.27.3<br/>
blueocean-rest-impl:1.27.3<br/>
blueocean-web:1.27.3<br/>
bootstrap4-api:4.6.0-5<br/>
bootstrap5-api:5.2.1-3<br/>
bouncycastle-api:2.27<br/>
branch-api:2.1071.v1a_188a_562481<br/>
caffeine-api:2.9.3-65.v6a_47d0f4d1fe<br/>
checks-api:1.8.1<br/>
cloudbees-bitbucket-branch-source:800.va_b_b_9a_a_5035c1<br/>
cloudbees-disk-usage-simple:178.v1a_4d2f6359a_8<br/>
cloudbees-folder:6.815.v0dd5a_cb_40e0e<br/>
cobertura:1.17<br/>
code-coverage-api:3.5.0<br/>
command-launcher:90.v669d7ccb_7c31<br/>
commons-lang3-api:3.12.0-36.vd97de6465d5b_<br/>
commons-text-api:1.10.0-36.vc008c8fcda_7b_<br/>
credentials:1224.vc23ca_a_9a_2cb_0<br/>
credentials-binding:523.vd859a_4b_122e6<br/>
data-tables-api:1.12.1-4<br/>
display-url-api:2.3.7<br/>
docker-commons:419.v8e3cd84ef49c<br/>
docker-workflow:563.vd5d2e5c4007f<br/>
durable-task:504.vb10d1ae5ba2f<br/>
echarts-api:5.4.0-1<br/>
email-ext:2.95<br/>
embeddable-build-status:339.v1edb_5e63da_45<br/>
extended-read-permission:3.2<br/>
favorite:2.4.1<br/>
font-awesome-api:6.2.1-1<br/>
forensics-api:1.17.0<br/>
git:5.0.0<br/>
git-client:4.2.0<br/>
git-server:99.va_0826a_b_cdfa_d<br/>
github:1.37.0<br/>
github-api:1.303-417.ve35d9dd78549<br/>
github-branch-source:1703.vd5a_2b_29c6cdc<br/>
github-checks:1.0.20-SNAPSHOT (private-23ee21e2-douwork)<br/>
github-oauth:0.39<br/>
github-scm-trait-notification-context:1.1<br/>
google-oauth-plugin:1.0.8<br/>
handlebars:3.0.8<br/>
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953<br/>
htmlpublisher:1.31<br/>
http_request:1.16<br/>
instance-identity:142.v04572ca_5b_265<br/>
ionicons-api:45.vf54fca_5d2154<br/>
jackson2-api:2.14.2-319.v37853346a_229<br/>
jakarta-activation-api:2.0.1-3<br/>
jakarta-mail-api:2.0.1-3<br/>
javax-activation-api:1.2.0-6<br/>
javax-mail-api:1.6.2-9<br/>
jaxb:2.3.8-1<br/>
jdk-tool:63.v62d2fd4b_4793<br/>
jenkins-design-language:1.27.3<br/>
jersey2-api:2.39.1-1<br/>
jira:3.9<br/>
jjwt-api:0.11.5-77.v646c772fddb_0<br/>
jquery3-api:3.6.1-2<br/>
jsch:0.1.55.61.va_e9ee26616e7<br/>
junit:1189.v1b_e593637fa_e<br/>
kubernetes:3900.va_dce992317b_4<br/>
kubernetes-client-api:6.4.1-215.v2ed17097a_8e9<br/>
kubernetes-credentials:0.10.0<br/>
lockable-resources:1131.vb_7c3d377e723<br/>
mailer:448.v5b_97805e3767<br/>
matrix-project:785.v06b_7f47b_c631<br/>
mercurial:1260.vdfb_723cdcc81<br/>
metrics:4.2.13-420.vea_2f17932dd6<br/>
mina-sshd-api-common:2.9.2-62.v199162f0a_2f8<br/>
mina-sshd-api-core:2.9.2-62.v199162f0a_2f8<br/>
monitoring:1.92.0<br/>
oauth-credentials:0.5<br/>
okhttp-api:4.10.0-132.v7a_7b_91cef39c<br/>
pipeline-build-step:487.va_823138eee8b_<br/>
pipeline-github:2.8-999999-SNAPSHOT (private-ae5af2e8-leo)<br/>
pipeline-githubnotify-step:49.vf37bf92d2bc8<br/>
pipeline-graph-analysis:202.va_d268e64deb_3<br/>
pipeline-groovy-lib:629.vb_5627b_ee2104<br/>
pipeline-input-step:466.v6d0a_5df34f81<br/>
pipeline-milestone-step:111.v449306f708b_7<br/>
pipeline-model-api:2.2125.vddb_a_44a_d605e<br/>
pipeline-model-definition:2.2125.vddb_a_44a_d605e<br/>
pipeline-model-extensions:2.2125.vddb_a_44a_d605e<br/>
pipeline-rest-api:2.32<br/>
pipeline-stage-step:305.ve96d0205c1c6<br/>
pipeline-stage-tags-metadata:2.2125.vddb_a_44a_d605e<br/>
pipeline-stage-view:2.32<br/>
pipeline-utility-steps:2.15.1<br/>
plain-credentials:143.v1b_df8b_d3b_e48<br/>
plugin-util-api:2.20.0<br/>
popper-api:1.16.1-3<br/>
popper2-api:2.11.6-2<br/>
prism-api:1.29.0-2<br/>
prometheus:2.1.2<br/>
pubsub-light:1.17<br/>
scm-api:631.v9143df5b_e4a_a<br/>
script-security:1229.v4880b_b_e905a_6<br/>
slack:631.v40deea_40323b<br/>
snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4<br/>
sse-gateway:1.26<br/>
ssh-credentials:305.v8f4381501156<br/>
ssh-steps:2.0.65.vd26b_5b_9b_de4d<br/>
sshd:3.275.v9e17c10f2571<br/>
structs:324.va_f5d6774f3a_d<br/>
timestamper:1.23<br/>
token-macro:321.vd7cc1f2a_52c8<br/>
trilead-api:2.84.v72119de229b_7<br/>
variant:59.vf075fe829ccb<br/>
warnings-ng:9.23.1<br/>
workflow-aggregator:596.v8c21c963d92d<br/>
workflow-api:1208.v0cc7c6e0da_9e<br/>
workflow-basic-steps:1010.vf7a_b_98e847c1<br/>
workflow-cps:3653.v07ea_433c90b_4<br/>
workflow-cps-global-lib:609.vd95673f149b_b<br/>
workflow-durable-task-step:1241.v1a_63e465f943<br/>
workflow-job:1289.vd1c337fd5354<br/>
workflow-multibranch:733.v109046189126<br/>
workflow-scm-step:408.v7d5b_135a_b_d49<br/>
workflow-step-api:639.v6eca_cd8c04a_a_<br/>
workflow-support:839.v35e2736cfd5c<br/>