githubjenkins

How to set up GitHub credentials for an Organization in Jenkins?

We have an Organization in GitHub, and a private Jenkins instance that checks out code from various repositories belonging to that Organization. Up to this point, I've used a Personal Access Token (PAT) created under my GitHub account as the credentials that Jenkins uses to clone the repos for builds. Since the PAT is associated to my account, there's a (obvious, to me) weak point there - all our Jenkins builds are coupled to my GitHub account.

I want to eliminate the dependency on my GitHub account (or any one developer's GitHub account), and instead use some kind of credentials that are associated to the Organization instead. But I can't find a way to create an access token for an Organization.

How can Jenkins be set up to be able to clone repos from an Organization?

Solution

  • You can accomplish this by using a GitHub App and its "client secret." To do this, you need to have admin rights in the GitHub Organization.

    1. Go to the GitHub Organization settings - URL is like https://github.com/organizations/MyOrganization/settings/apps

    2. Click the button to create a New GitHub App.

    3. Fill out the required data for the app Name and URL (I just used the Organization page URL).

    4. Un-check the Webhook > Active option.

    5. In the Repository Permissions section, I selected the following:

      1. Actions: Read & Write

      2. Commit Status: Read & Write

      3. Contents: Read-only

      4. Packages: Read & Write (some of our jobs publish artifacts to GitHub Packages, yours may not need this).

      5. Pull Requests: Read-only

    6. Click the button to Create GitHub App.

    7. Back on the App page, click the button to Generate a new client secret.

      1. Copy the generated secret NOW, it won't be visible later.

    8. Also take note of the App ID (as of now, a 7-digit number).

    9. Click the Install App link (left-side navigation), then install the app into your Organization account.

    Back in Jenkins...

    Now that you have the App ID and Client Secret, go to your Jenkins server and navigate to the Credentials page (Manage Jenkins > Credentials).

    1. Click the Scope and Domain (System by default) and Domain ("global" by default) for the new credential, then Add Credentials.

    2. On the New Credentials form, select GitHub App as the Kind.

    3. For ID, leave it blank or make one up. This is NOT the GitHub App ID, this is the Jenkins credential ID and it will be generated if you don't enter one.

    4. For App ID, enter the App ID you noted in step 8 above.

    5. For Key, you'll use the client secret you copied in step 7.1 above.

      1. Make sure to click the help link (? icon) next to the Key label to get instructions for converting the secret into the right format.

    6. Click the Test Connection button to make sure you copy/pasted everything correctly.

    7. Click the Create button to add this credential.

    This credential can now be selected for use in the Source Code Management of your Jenkins builds.