使用与在后步骤中的 Shell 脚本中克隆相同的 http git 凭据

Question

I want to automate our Release process and I have a following Jenkins build job for a Maven project:

• Cloning a Git repo with configured Jenkins Credentials (username/password)
• Executing some Maven commands for the build
• Having a Post Step configured which executes some additional Git commands: merge, tag, push

If I run the build I receive following error during executing my Post Step Shell script:

fatal: could not read Username for 'https://mygitserver': Input/output error

The Git Repo server uses HTTP for Authentication.

In the Console Log I can see that Jenkins uses.gitcredentials to handle the Authentication:

using .gitcredentials to set credentials
> git config --local credential.username jenkins # timeout=10
> git config --local credential.helper store --file=/tmp/git2442727044778485.credentials # timeout=10

I would like now to reuse actually these credential store because they are created at the beginning of my build, but are removed again after cloning.

Is this somehow possible or do I need to handle this somehow by myself with the "Credentials Binding Plugin", etc.?

Answer 1

因为我还没有找到任何解决方案来在构建开始时重用来自 clone 命令的初始 Git 凭据，所以我现在刚刚使用了 Jenkins 凭据绑定插件，并在 Post 中为我的自定义 git 命令创建了自己的凭据存储步骤。

Answer 2

Here is a path I took in order to fulfil a similar need:

• I added a public ssh key in my git account
• I added the ssh private key and passphrase as ssh credential in jenkins
• I used this credential in my git repo clone phase
• I reused the same credential in my ssh agent jenkins build environment ** hence all post build shell script will use it

Answer 3

The Credentials Binding plugin mentioned by @olibur can be used together with a custom GIT_ASKPASS script to allow authentification with a GitHub App:

First the GitHub Branch Source plugin can be used to store credentials for an installed GitHub App.

The Credentials Binding plugin must be set up to give "Username and password (separate)" with the GitHub App credentials. The password will be the temporary access token. In the following it is accessed as GITHUB_TOKEN . The user name is the App Id.

To allow to access GitHub the token must be returned from an askpass script. With an "Inject environment variables" build step the location of the script can be defined to be in a known location available in all build steps:

GIT_ASKPASS=$WORKSPACE/git-askpass.sh

It must be filled as first bash script build step before the repository can actually be accessed by git:

echo 'echo $GITHUB_TOKEN' > $GIT_ASKPASS
chmod +x $GIT_ASKPASS

The script is now available in all following build steps and git can be used without specifying any credentials.

Answer 4

There is interesting tutorial how to pass jenkins credentials into the pipeline scripts: https://www.baeldung.com/ops/jenkins-inject-git-secrets#2-use-credentials-in-pipeline

And additional one here: https://www.jenkins.io/blog/2021/07/27/git-credentials-binding-phase-1/