Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend the GitUsernamePasswordBinding by exporting the credentials suitable for git credential store #1221

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Extend the GitUsernamePasswordBinding by exporting the credentials suitable for git credential store #1221

wants to merge 1 commit into from
+95 −5

Conversation

petr-tichy
Copy link

@petr-tichy petr-tichy commented Feb 17, 2022
edited by MarkEWaite

Extend the GitUsernamePasswordBinding by exporting the credentials suitable for git credential store

Checklist

  • I have read the CONTRIBUTING doc
  • I have added tests that verify my changes
  • Unit tests pass locally with my changes
  • I have added documentation as necessary
  • No Javadoc warnings were introduced with my changes
  • No spotbugs warnings were introduced with my changes
  • Documentation in README has been updated as necessary
  • I have interactively tested my changes

Types of changes

  • New feature (non-breaking change which adds functionality)

Further comments

This extend the GitUsernamePasswordBinding by exporting the credentials in a file format suitable for git credential store which is in turn useful for docker.build step using BuildKit secret mount. This is currently the best option for forwarding HTTP credentials to docker.build while avoiding storing these in the image.

# Jenkins pipeline
withCredentials([gitUsernamePassword(credentialsId: 'my-credentials-id',
                 hostName: 'github.com')]) {
  withEnv(['DOCKER_BUILDKIT=1']) {
    docker.build '', "--secret id=git_store,src=${GIT_CREDENTIAL_STORE} ."
  }
}
# Dockerfile
RUN --mount=type=secret,id=git_store \
    git config credential.helper 'store --file /run/secrets/git_store' && \
    git clone https://github.com/private/repo

The above configuration is best used with GitHub App authentication provided by GitHub Branch Source plugin. This issues scoped temporary token valid for one hour, which is then used in HTTPS Basic Auth.

@github-actions github-actions bot added documentation Improvements or additions to documentation test labels Feb 17, 2022
@petr-tichy petr-tichy changed the title hostname Extend the GitUsernamePasswordBinding by exporting the credentials suitable for git credential store Feb 17, 2022
@jtway
Copy link

jtway commented Jun 22, 2022

Is there any update on this getting merged?

@MarkEWaite
Copy link
Contributor

Is there any update on this getting merged?

It will likely be several months before I'm able to review, test, and merge this pull request.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 3, 2022
View reviewed changes
src/main/java/jenkins/plugins/git/GitUsernamePasswordBinding.java
protected static final class GenerateGitStore extends AbstractOnDiskBinding<StandardUsernamePasswordCredentials> {

private final String userVariable;
private final String passVariable;

Check warning

Code scanning / Jenkins Security Scan

Jenkins: Plaintext password storage

Variable should be reviewed whether it stored a password and is serialized to disk: passVariable
@MarkEWaite MarkEWaite added enhancement Improvement or new feature and removed documentation Improvements or additions to documentation test labels Sep 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement Improvement or new feature
Projects
None yet
Milestone
No milestone
3 participants
@petr-tichy @jtway @MarkEWaite