After updating to version 887, can't use sh to run remote-accessing git commands in pipeline

[evonz-mx]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.452.2 OS: Linux - 4.15.0-213-generic Java: 17.0.11 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- Office-365-Connector:4.21.1 PrioritySorter:5.1.0 amazon-ecr:1.136.v914ea_5948634 analysis-model-api:12.3.3 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.3.1-1.0 asm-api:9.7-33.v4d23ef79fcc8 audit-trail:361.v82cde86c784e authentication-tokens:1.113.v81215a_241826 authorize-project:1.7.2 aws-credentials:231.v08a_59f17d742 aws-java-sdk:1.12.730-457.v3403b_37d2170 aws-java-sdk-api-gateway:1.12.730-457.v3403b_37d2170 aws-java-sdk-autoscaling:1.12.730-457.v3403b_37d2170 aws-java-sdk-cloudformation:1.12.730-457.v3403b_37d2170 aws-java-sdk-cloudfront:1.12.730-457.v3403b_37d2170 aws-java-sdk-codebuild:1.12.730-457.v3403b_37d2170 aws-java-sdk-codedeploy:1.12.730-457.v3403b_37d2170 aws-java-sdk-ec2:1.12.730-457.v3403b_37d2170 aws-java-sdk-ecr:1.12.730-457.v3403b_37d2170 aws-java-sdk-ecs:1.12.730-457.v3403b_37d2170 aws-java-sdk-efs:1.12.730-457.v3403b_37d2170 aws-java-sdk-elasticbeanstalk:1.12.730-457.v3403b_37d2170 aws-java-sdk-elasticloadbalancingv2:1.12.730-457.v3403b_37d2170 aws-java-sdk-iam:1.12.730-457.v3403b_37d2170 aws-java-sdk-kinesis:1.12.730-457.v3403b_37d2170 aws-java-sdk-lambda:1.12.730-457.v3403b_37d2170 aws-java-sdk-logs:1.12.730-457.v3403b_37d2170 aws-java-sdk-minimal:1.12.730-457.v3403b_37d2170 aws-java-sdk-organizations:1.12.730-457.v3403b_37d2170 aws-java-sdk-secretsmanager:1.12.730-457.v3403b_37d2170 aws-java-sdk-sns:1.12.730-457.v3403b_37d2170 aws-java-sdk-sqs:1.12.730-457.v3403b_37d2170 aws-java-sdk-ssm:1.12.730-457.v3403b_37d2170 aws-lambda:0.5.10 awseb-deployment-plugin:0.3.21 azure-credentials:312.v0f3973cd1e59 azure-sdk:174.va_89c1df897d2 bitbucket:241.v6d24a_57f9359 blueocean:1.27.13 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.13 blueocean-commons:1.27.13 blueocean-config:1.27.13 blueocean-core-js:1.27.13 blueocean-dashboard:1.27.13 blueocean-display-url:2.4.2 blueocean-events:1.27.13 blueocean-git-pipeline:1.27.13 blueocean-github-pipeline:1.27.13 blueocean-i18n:1.27.13 blueocean-jwt:1.27.13 blueocean-personalization:1.27.13 blueocean-pipeline-api-impl:1.27.13 blueocean-pipeline-editor:1.27.13 blueocean-pipeline-scm-api:1.27.13 blueocean-rest:1.27.13 blueocean-rest-impl:1.27.13 blueocean-web:1.27.13 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-233.vfdcdeb_0a_08a_a_ branch-api:2.1169.va_f810c56e895 build-name-setter:2.4.2 build-pipeline-plugin:2.0.2 build-timeout:1.33 build-user-vars-plugin:166.v52976843b_435 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloudbees-bitbucket-branch-source:887.va_d359b_3d2d8d cloudbees-folder:6.928.v7c780211d66e codedeploy:1.23 command-launcher:107.v773860566e2e commons-compress-api:1.26.1-2 commons-httpclient3-api:3.1-3 commons-lang3-api:3.14.0-76.vda_5591261cfe commons-text-api:1.12.0-119.v73ef73f2345d conditional-buildstep:1.4.3 config-file-provider:973.vb_a_80ecb_9a_4d0 content-replace:1.8.2 copyartifact:746.vd2a_674fb_4f6f credentials:1344.v5a_3f65a_1e173 credentials-binding:677.vdc9d38cb_254d dark-theme:439.vdef09f81f85e dashboard-view:2.508.va_74654f026d1 data-tables-api:2.0.8-1 display-url-api:2.204.vf6fddd8a_8b_e9 docker-build-publish:1.4.0 docker-commons:439.va_3cb_0a_6a_fb_29 docker-custom-build-environment:1.7.3 docker-java-api:3.3.6-90.ve7c5c7535ddd docker-workflow:580.vc0c340686b_54 durable-task:555.v6802fe0f0b_82 ec2:1688.v8c07e01d657f echarts-api:5.5.0-1 eddsa-api:0.3.0-4.v84c6f0f4969e email-ext:1814.v404722f34263 envinject:2.908.v66a_774b_31d93 envinject-api:1.199.v3ce31253ed13 extended-read-permission:53.v6499940139e5 external-monitor-job:215.v2e88e894db_f8 favorite:2.218.vd60382506538 flatpickr-api:4.6.13-5.v534d8025a_a_59 font-awesome-api:6.5.2-1 forensics-api:2.4.0 git:5.2.2 git-client:5.0.0 git-parameter:0.9.19 github:1.39.0 github-api:1.318-461.v7a_c09c9fa_d63 github-branch-source:1789.v5b_0c0cea_18c3 google-chat-notification:147.v68a_27a_f15577 google-login:109.v022b_cf87b_e5b_ google-oauth-plugin:1.330.vf5e86021cb_ec gson-api:2.11.0-41.v019fcf6125dc handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 htmlpublisher:1.35 http_request:1.18 instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javadoc:243.vb_b_503b_b_45537 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 jenkins-design-language:1.27.13 jjwt-api:0.11.5-112.ve82dfb_224b_a_d joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery:1.12.4-1 jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 kubernetes-cli:1.12.1 kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:174.va_36e093562d9 ldap:725.v3cb_b_711b_1a_ef mailer:472.vf7c289a_4b_420 mapdb-api:1.0.9-40.v58107308b_7a_7 mask-passwords:173.v6a_077a_291eb_5 matrix-auth:3.2.2 matrix-project:832.va_66e270d2946 maven-plugin:3.23 mercurial:1260.vdfb_723cdcc81 mina-sshd-api-common:2.12.1-113.v4d3ea_5eb_7f72 mina-sshd-api-core:2.12.1-113.v4d3ea_5eb_7f72 msbuild:1.33 multibranch-scan-webhook-trigger:1.0.11 newrelic-deployment-notifier:1.11 node-iterator-api:55.v3b_77d4032326 nodejs:1.6.1 nvm-wrapper:0.1.7 oauth-credentials:0.653.v14cf2088e950 okhttp-api:4.11.0-172.vda_da_1feeb_c6e pam-auth:1.11 parameterized-trigger:806.vf6fff3e28c3e pipeline-aws:1.45 pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:727.ve832a_9244dfa_ pipeline-input-step:495.ve9c153f6067b_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2198.v41dd8ef6dd56 pipeline-model-definition:2.2198.v41dd8ef6dd56 pipeline-model-extensions:2.2198.v41dd8ef6dd56 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2198.v41dd8ef6dd56 pipeline-stage-view:2.34 pipeline-utility-steps:2.17.0 plain-credentials:183.va_de8f1dd5a_2b_ plugin-util-api:4.1.0 prism-api:1.29.0-15 publish-over:0.22 pubsub-light:1.18 resource-disposer:0.23 role-strategy:727.vd344b_eec783d run-condition:1.7 saltstack:3.2.2 saml:4.464.vea_cb_75d7f5e0 schedule-build:577.v0613c45b_9eef scm-api:690.vfc8b_54395023 script-security:1341.va_2819b_414686 slack:722.vd07f1ea_7ff40 snakeyaml-api:2.2-111.vc6598e30cc65 sse-gateway:1.27 ssh-credentials:337.v395d2403ccd4 ssh-slaves:2.973.v0fa_8c0dea_f9f sshd:3.330.vc866a_8389b_58 structs:338.v848422169819 test-results-analyzer:0.4.1 theme-manager:262.vc57ee4a_eda_5d timestamper:1.27 token-macro:400.v35420b_922dcb_ trilead-api:2.147.vb_73cc728a_32e variant:60.v7290fc0eb_b_cd warnings-ng:11.3.0 windows-azure-storage:419.v4046cd70d2e3 workflow-aggregator:596.v8c21c963d92d workflow-api:1316.v33eb_726c50b_a_ workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3903.v48a_8836749e9 workflow-durable-task-step:1353.v1891a_b_01da_18 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:783.787.v50539468395f workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:907.v6713a_ed8a_573 ws-cleanup:0.46 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux on both controller and agents. Controller is running inside Docker on ubuntu 18.04, agents are usually Amazon Linux 2 but some are Ubuntu 22.04

Reproduction steps

1. Configure a pipeline script with the following: checkout scm sh "git tag foo" sh "git push origin --tags"
2. Run the build using a Bitbucket Branch Source

Expected Results

A tag "foo" appears in the repository

Actual Results

Git fails, with error message as follows:

fatal: could not read Password for 'https://[username]@bitbucket.org/': No such device or address

Anything else?

This worked fine until we upgrade to build 887. The same results appear to happen regardless of the Git operation (pushing branches, deleting branches, etc)

Are you interested in contributing a fix?

I'm not sure what the solution is. I'm assuming it's because the credential is now provided by an extension, and isn't available for non-Jenkins-invoked Git calls. If there is an alternative method (perhaps a pipeline API to invoke git commands) we'd be happy to use it.

[davewhiteley]

Seeing the same issue during sh blocks that involve git commands like the ones reported.

It appears that the plugin checkout behavior has changed since version 886. Previously during Declarative: Checkout SCM I would see: > git fetch --no-tags --progress [https://x-token-auth:{<token value>}@bitbucket.org/<workspace>/<git repo>.git](https://x-token-auth:%7<token value>%7D@bitbucket.org/<workspace>/<git repo>.git) +refs/heads/<branch name>:refs/remotes/origin/<branch name> # timeout=10 And the same token value would be included in the git commands later.

Now after upgrading to plugin version 887 the same checkout looks like this: > git fetch --no-tags --progress https://<workspace>@bitbucket.org/<workspace>/<git repo>.git +refs/heads/<branch name>:refs/remotes/origin/<branch name> # timeout=10 And git commands fail with the same error message reported in this ticket.

[KalleOlaviNiemitalo]

I think you can fix this by making the pipeline use Git credentials binding.

• https://github.com/jenkinsci/git-plugin/pull/1104
• Git credentials binding for sh, bat, and powershell (GSOC 2021)
• [JENKINS-28335] Pipeline step to run Git commands with credentials & tool - Jenkins Jira

The credential can't be in the system scope, though.

[Remboooo]

I think you can fix this by making the pipeline use Git credentials binding.

• [JENKINS-28335] - Git username and password binding (GSoC 2021) git-plugin#1104
• Git credentials binding for sh, bat, and powershell (GSOC 2021)
• [JENKINS-28335] Pipeline step to run Git commands with credentials & tool - Jenkins Jira

The credential can't be in the system scope, though.

Doesn't that only work if you're using a (project) token? I'm using OAuth for this plugin, which I think is the recommended way, but I don't see any way to use that with credentials binding. Also I don't see a way to use SSH keys because this plugin configures git to use HTTPS remote URLs.

I just reverted to 886 for now, I don't see any way to make it work other than introducing per-project tokens, which seems like a hassle.

[mcr-paulanand]

I am also facing the same issue:

• I am using Bitbucket Branch Source using OAuth credentials
• When performing git operations such as git push, the authentication fails.
• Reverting to 886 works.

[rgrizzell]

This issue is also affecting our builds. Same errors when using OAuth.

I was able to work around this by using the following snippet. [Credit]

sh "git push \"https://x-token-auth:$(curl -s -X POST -u \"<oauth_user>:<oauth_secret>\" https://bitbucket.org/site/oauth2/access_token -d grant_type=client_credentials | jq -r '.access_token')@bitbucket.org/<workspace>/<repo>.git"