You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/github-app.adoc
+24-4Lines changed: 24 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -167,12 +167,32 @@ The following default permissions strategies are available:
167
167
* **All permissions available to the app installation** (default)
168
168
** The access tokens generated in untrusted contexts will have the same permissions as the app installation in GitHub
169
169
170
-
==== Repository access strategies and Pipeline libraries
170
+
==== Repository access strategies limitations
171
+
172
+
===== Jobs using plain Git
173
+
174
+
The inference-based modes for GitHub App Credentials are supported for Organization Folders and Multibranch Pipelines only. There are not supported in other contexts using plain Git such as:
175
+
* Standalone Pipeline jobs using "Pipeline script from SCM"
176
+
* Non-Pipeline jobs (unless you configure the project property named "GitHub project page")
177
+
178
+
===== Pipeline libraries
179
+
180
+
Note that Pipeline libraries do not support inference, and will instead be inferred to have the same owner as the main SCM for the build itself. If the library's SCM is in a different repository than the build, you will not be able to use "Infer accessible repository" for the credentials used by the library.
181
+
182
+
If the library's SCM is in a different GitHub organization than the SCM for the build, you will also not be able to use "Infer owner and allow access to all owned repositories". To avoid these issues, you can configure the Pipeline library to use a credential with the "Specify accessible repositories" mode that allows access to the repository that contains the library itself.
171
183
172
-
Repository inference for GitHub App Credentials does not work when checking out Pipeline libraries.
173
-
If you have a GitHub App Credential for an Organization Folder or Multibranch Pipeline whose individual Pipeline jobs access a Pipeline library, the contextually inferred repository for the library checkout will be the repository for the Pipeline job rather than the library.
174
184
This means that the library will be inaccessible if you use an inference-based repository access strategy which only provides access to a single contextually-inferred repository, or if the Pipeline library is in a different GitHub organization than the repository being built.
175
-
For now, in this case, you either need to use a less restrictive strategy for the GitHub App credential, such as "Infer owner and allow access to all owned repositories", or you can define a second credential specifically for the Pipeline library which uses "Specify accessible repositories" and only allows access to the repository for the Pipeline library.
185
+
186
+
For now, in this case, you either need to use a less restrictive strategy for the GitHub App credential, such as "Infer owner and allow access to all owned repositories" (only works if the library is only used from jobs inside of Organization Folders and Multibranch Pipelines), or "Specify accessible repositories", which works in all cases. If desired, you can also create a second credential specifically for the library, which uses "Specify accessible repositories" to restrict access to only the library's repository and configures the "Default permissions strategy" to only allow read access.
187
+
188
+
==== Backwards compatibility
189
+
190
+
[IMPORTANT]
191
+
The new configuration options are not fully backwards compatible.
192
+
193
+
For existing GitHub App credentials which do not have the owner field set, the migration to the new format is not fully compatible. These credentials migrate to the “Infer owner and allow access to all owned repositories” mode described in the documentation, which means that they will only work in contexts where the owner can be inferred, such as Organization Folders and Multibranch Pipelines.
194
+
195
+
If you are using the credentials in a context where inference is not supported, you will need to reconfigure these credentials to use the “Specify accessible repositories” mode instead, specifying the appropriate owner (or leaving it blank if the app is installed in a single GitHub organization).
0 commit comments