Support GitHub App authentication for Jenkins integration

[tupton]

Personal access tokens are currently required for the github plugin to work; cf. https://github.com/semantic-release/github/blob/master/README.md#environment-variables

GitHub App authentication is the recommended way to integrate GitHub access into Jenkins pipelines: https://www.jenkins.io/blog/2020/04/16/github-app-authentication/

Passing a GitHub App access token in the environment variable GH_TOKEN does not work with the github plugin. Is it possible to use a different environment variable or otherwise specify a GitHub App token for the github plugin to use?

2020-09-18T19:14:56.087Z semantic-release:git Error: Command failed with exit code 128: git push --dry-run --no-verify https://github.com/<org>/<repo>.git HEAD:dev
remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/<org>/<repo>.git/'
    at makeError (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/execa/lib/error.js:59:11)
    at handlePromise (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/execa/index.js:114:26)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async verifyAuth (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/lib/git.js:207:5)
    at async module.exports (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/lib/get-git-auth-url.js:45:5)
    at async run (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/index.js:56:27)
    at async module.exports (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/index.js:260:22)
    at async module.exports (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/cli.js:55:5)
[7:14:56 PM] [semantic-release] › ✖  An error occurred while running semantic-release: Error: Command failed with exit code 128: git ls-remote --heads https://[secure]@github.com/<org>/<repo>.git
remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/<org>/<repo>.git/'
    at makeError (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/execa/lib/error.js:59:11)
    at handlePromise (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/execa/index.js:114:26)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async getBranches (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/lib/git.js:66:11)
    at async module.exports (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/lib/branches/expand.js:6:23)
    at async module.exports (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/lib/branches/index.js:14:26)
    at async run (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/index.js:57:22)
    at async module.exports (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/index.js:260:22)
    at async module.exports (/tmp/jenkins-df6e4f06/workspace/<ws>/node_modules/semantic-release/cli.js:55:5) {
  shortMessage: 'Command failed with exit code 128: git ls-remote --heads https://[secure]@github.com/<org>/<repo>.git',
  command: 'git ls-remote --heads https://[secure]@github.com/<org>/<repo>.git',
  exitCode: 128,
  signal: undefined,
  signalDescription: undefined,
  stdout: '',
  stderr: 'remote: Invalid username or password.\n' +
    "fatal: Authentication failed for 'https://github.com/<org>/<repo>.git/'",
  failed: true,
  timedOut: false,
  isCanceled: false,
  killed: false
}

[gr2m]

GitHub App access token

You mean an installation access token? THat's what ${{ secrets.GITHUB_TOKEN }} is, so if you pass your own, that should just work?

[tupton]

I'm unsure if there's a difference between what Jenkins calls "GitHub App tokens" and what you call an installation token, but I'm passing this token as GH_TOKEN like so in my Jenkinsfile and it's resulting in the above error. When using a personal access token in the same manner, the github plugin works as expected – but that's a problem because we don't want to use personal GitHub accounts for semantic-release bot updates.

withCredentials([usernamePassword(credentialsId: '<creds-id>', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_TOKEN')]) {
  withCredentials([string(credentialsId: 'NPM_TOKEN', variable: 'NPM_TOKEN')]) {
    withEnv(["GH_TOKEN=$GITHUB_TOKEN", "NPM_TOKEN=$NPM_TOKEN"]) {
      sh "npx semantic-release --debug"
    }
  }
}

Should I be passing this token in some other manner?

[gr2m]

Hmm I'm not familiar with Jenkins I'm afraid... I'm not sure how to debug the problem

[travi]

we don't want to use personal GitHub accounts for semantic-release bot updates

the most common way to use semantic-release with a "bot" account is to create a normal user account that is not associated with a real person and simply treat it as a bot account. github doesnt really provide such a thing as a bot account for this type of a purpose. simply create a personal access token from this account that you create to associate with that account instead of any particular person's personal account

[gr2m]

Ah thanks @travi. Yeah, that's what I do all the time for org-based projects, too

[tupton]

the most common way to use semantic-release with a "bot" account is to create a normal user account that is not associated with a real person and simply treat it as a bot account.

This is what we're doing now, but we don't want another github account just for this purpose. This is exactly the reason that GithHub apps exist.

octokit appears to support GitHub App authentication. I had initially thought that the way the semantic release github plugin provides the auth token might be to blame – it could be just auth: githubToken – but that's possibly a red herring:

https://github.com/semantic-release/github/blob/master/lib/get-client.js#L33

GitHub App tokens provided by the Jenkins integration do appear to work with this plugin. My issue is that the non-github-api uses of git were failing when invoking semantic-release because GH_TOKEN has no bearing on that authentication. You need to ensure that the environment in which you invoke semantic-release has git credentials (not necessarily github credentials, and certainly not just github api credentials ) set up properly; in Jenkins multi-branch pipeline setups this is not automatic and usually requires setting up ssh keys or whatever authentication mechanism you want to use in addition to the usual project settings.

For posterity: @semantic-release/github does support GitHub App authentication. semantic-release itself also needs an environment in which direct calls to git are authenticated using the method of your choice, e.g. ssh keys.

Thanks for taking a look, and apologies for conflating these two authentication mechanisms.

[gr2m]

you can use a GitHub App's installation access token to authenticate git operations, however you need to set the username to x-access-token, e.g. https://x-access-token:<token>@github.com/owner/repo.git

See https://docs.github.com/en/developers/apps/authenticating-with-github-apps#http-based-git-access-by-an-installation

We do that in semantic-release core:
https://github.com/semantic-release/semantic-release/blob/b4c5d0a436fa5a4e98d8326f0512fa8a2f1f4f67/lib/get-git-auth-url.js#L22-L24

But only when GitHub App environment variables are present. I remember we tried to make it work with any installation access tokens but it added too much complexity and/or was to unreliable, so we settled on just making it work for GitHub Actions, which is the most common usage.

[tomavic]

I tried this manner with my Package and Jenkins didn't recognise the @semantic-release/github. It keep fails at verifyCondition step where it can't find a GH_TOKEN in my environment variables HOWEVER I already use both @semantic-release/git and @semantic-release/npm and they work perfectly as Expected although they CAN read GH_TOKEN!!!

Your help is appreciated ,,,