Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce Credentials.forRun to contextualize secrets #293

Merged
merged 5 commits into from
Mar 26, 2022

Conversation

jglick
Copy link
Member

@jglick jglick commented Mar 23, 2022

jenkinsci/github-branch-source-plugin#527 is a demonstrated use case, and jenkinsci/conjur-credentials-plugin#21 a proposed one.

This new SPI requires use of the CredentialsProvider.findCredentialById method, which passes a (mandatory) Run argument and is the normal way to look up a particular credential during a build. (credentials-binding has long used it—jenkinsci/credentials-binding-plugin#169 is the integration test—and the revised version of jenkinsci/git-plugin#1242 is able to use it consistently as well.) There are other lookup methods which take an Item (~ Job) or even ItemGroup (~ Jenkins / Folder / MultiBranchProject / OrganizationFolder) context, which would suffice for jenkinsci/github-branch-source-plugin#527 (which would usually be inspecting a MultiBranchProject though I left in support for standalone Job projects using the github plugin’s project property as well). If and when such an SPI becomes desirable, it should be possible to compatibly introduce Credentials.forItem (defaulting to this, rewrite the default of forRun to delegate to forItem(run.getParent())) or even forItemGroup (similar delegation chain).

@jglick jglick changed the title Introduce Credentials.forRun to comtextualize secrets Introduce Credentials.forRun to contextualize secrets Mar 23, 2022
@jglick jglick requested a review from timja March 23, 2022 20:27
@jglick jglick marked this pull request as ready for review March 26, 2022 00:30
@jglick jglick requested a review from MarkEWaite March 26, 2022 00:36
MarkEWaite added a commit to MarkEWaite/docker-lfs that referenced this pull request Mar 26, 2022
Includes GitHub App authentication enhancement from Jesse Glick for
credentials by context.

jenkinsci/github-branch-source-plugin#527
needs this so that it can use the enhancement in
jenkinsci/credentials-plugin#293

Otherwise `withCredentials` works but `checkout scm` does not work
MarkEWaite added a commit to MarkEWaite/docker-lfs that referenced this pull request Mar 26, 2022
jenkinsci/credentials-plugin#293 to
contextualize secrets in an incremental build for testing
Copy link
Contributor

@MarkEWaite MarkEWaite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've run it in my Jenkins test instance and have not detected any issues. I have not exercised contextualized secrets yet in that instance.

@jglick jglick merged commit 4fe3345 into jenkinsci:master Mar 26, 2022
@jglick jglick deleted the Credentials.forRun branch March 26, 2022 16:41
jglick added a commit to jglick/github-branch-source-plugin-1 that referenced this pull request Mar 26, 2022
jglick added a commit to jglick/credentials-binding-plugin that referenced this pull request Mar 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants