search

jenkinsci / github-checks-plugin

Jenkins Plugin for GitHub Checks API
https://plugins.jenkins.io/github-checks/
MIT License
78 stars 38 forks source link

Checks fail if run on system locked out of public internet. #361

Open macetw opened 1 year ago

macetw commented 1 year ago

Jenkins and plugins versions report

If I run my builds with the GitHub Checks plugin installed but on a workstation that is blocked from the public internet, the build quickly fails with the error:

[GitHub Checks] Failed Publishing GitHub checks: java.io.IOException: GitHub Enterprise server (https://api.github.com) with private mode enabled

I definitely don't want our checks published to the public github API. These are proprietary internal builds.

2 questions:

  1. How can I prevent these builds from failing?
  2. And how can I prevent this plugin from publishing information about our internal builds to a public (or microsoft-corporate) resource?
Environment ```text Jenkins: 2.401.1 OS: Linux - 5.4.0-65-generic Java: 11.0.19 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- ace-editor:1.1 amazon-ecr:1.114.vfd22430621f5 analysis-model-api:11.3.0 ansible:217.v1696cee03265 ansible-tower:0.16.0 ansicolor:1.0.2 ant:487.vd79d090d4ea_e antisamy-markup-formatter:159.v25b_c67cd35fb_ apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5 artifactory:3.18.3 atlassian-bitbucket-server-integration:3.4.2 authentication-tokens:1.53.v1c90fd9191a_b_ aws-bucket-credentials:1.0.0 aws-credentials:191.vcb_f183ce58b_9 aws-global-configuration:108.v47b_fd43dfec6 aws-java-sdk:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-cloudformation:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-codebuild:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-ec2:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-ecr:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-ecs:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-efs:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-elasticbeanstalk:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-iam:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-kinesis:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-logs:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-minimal:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-sns:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-sqs:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-ssm:1.12.481-392.v8b_291cfcda_09 bitbucket:223.vd12f2bca5430 bitbucket-push-and-pull-request:2.8.3 bitbucket-scm-trait-commit-skip:0.4.0 blueocean:1.27.4 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.4 blueocean-commons:1.27.4 blueocean-config:1.27.4 blueocean-core-js:1.27.4 blueocean-dashboard:1.27.4 blueocean-display-url:2.4.2 blueocean-events:1.27.4 blueocean-git-pipeline:1.27.4 blueocean-github-pipeline:1.27.4 blueocean-i18n:1.27.4 blueocean-jwt:1.27.4 blueocean-personalization:1.27.4 blueocean-pipeline-api-impl:1.27.4 blueocean-pipeline-editor:1.27.4 blueocean-pipeline-scm-api:1.27.4 blueocean-rest:1.27.4 blueocean-rest-impl:1.27.4 blueocean-web:1.27.4 bootstrap4-api:4.6.0-6 bootstrap5-api:5.3.0-1 bouncycastle-api:2.28 branch-api:2.1109.vdf225489a_16d build-name-setter:2.2.0 build-pipeline-plugin:1.5.8 build-timeout:1.31 built-on-column:1.4 caffeine-api:3.1.6-115.vb_8b_b_328e59d8 checks-api:2.0.0 cloudbees-bitbucket-branch-source:805.v7f97d29dc0f5 cloudbees-folder:6.815.v0dd5a_cb_40e0e cobertura:1.17 code-coverage-api:4.7.0 command-launcher:100.v2f6722292ee8 commons-lang3-api:3.12.0-36.vd97de6465d5b_ commons-text-api:1.10.0-36.vc008c8fcda_7b_ conditional-buildstep:1.4.2 config-file-provider:938.ve2b_8a_591c596 configuration-as-code:1647.ve39ca_b_829b_42 copyartifact:705.v5295cffec284 credentials:1254.vb_96f366e7b_a_d credentials-binding:604.vb_64480b_c56ca_ data-tables-api:1.13.4-1 delivery-pipeline-plugin:1.4.2 display-url-api:2.3.7 docker-commons:419.v8e3cd84ef49c docker-workflow:563.vd5d2e5c4007f durable-task:507.v050055d0cb_dd ec2:2.0.7 echarts-api:5.4.0-5 email-ext:2.98 embeddable-build-status:385.vc95f94e91fb_3 envinject:2.901.v0038b_6471582 envinject-api:1.199.v3ce31253ed13 external-monitor-job:203.v683c09d993b_9 favorite:2.4.2 font-awesome-api:6.4.0-1 forensics-api:2.3.0 git:5.1.0 git-client:4.4.0 git-parameter:0.9.18 git-server:99.va_0826a_b_cdfa_d github:1.37.1 github-api:1.314-431.v78d72a_3fe4c3 github-autostatus:3.6.2 github-branch-source:1725.vd391eef681a_e github-checks:545.v79a_a_68b_ca_682 github-pr-comment-build:96.v9ff13b69dd66 global-slack-notifier:1.5 google-compute-engine:4.3.14 google-kubernetes-engine:0.8.8 google-oauth-plugin:1.0.8 gradle:2.8 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 hashicorp-vault-pipeline:1.4 hashicorp-vault-plugin:360.v0a_1c04cf807d htmlpublisher:1.31 hubot-steps:95.va_30176518a_5a instance-identity:142.v04572ca_5b_265 ionicons-api:56.v1b_1c8c49374e ivy:2.5 jackson2-api:2.15.2-350.v0c2f3f8fc595 jacoco:3.3.3 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javadoc:233.vdc1a_ec702cff javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-8 jaxb:2.3.8-1 jdk-tool:66.vd8fa_64ee91b_d jenkins-design-language:1.27.4 jjwt-api:0.11.5-77.v646c772fddb_0 job-dsl:1.84 jobConfigHistory:1212.vd4470d08ff12 jquery:1.12.4-1 jquery-detached:1.2.1 jquery3-api:3.7.0-1 jsch:0.2.8-65.v052c39de79b_2 junit:1207.va_09d5100410f kubernetes:3937.vd7b_82db_e347b_ kubernetes-client-api:6.4.1-215.v2ed17097a_8e9 kubernetes-credentials:0.10.0 kubernetes-pipeline-devops-steps:1.6 ldap:682.v7b_544c9d1512 lockable-resources:1156.v5e9f897ece02 mailer:457.v3f72cb_e015e5 matrix-auth:3.1.8 matrix-project:789.v57a_725b_63c79 maven-plugin:3.22 mercurial:1260.vdfb_723cdcc81 metrics:4.2.18-439.v86a_20b_a_8318b_ mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_ mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_ momentjs:1.1.1 multibranch-build-strategy-extension:1.0.10 node-iterator-api:49.v58a_8b_35f8363 oauth-credentials:0.645.ve666a_c332668 okhttp-api:4.11.0-145.vcb_8de402ef81 pam-auth:1.10 parameterized-trigger:2.45 pipeline-as-yaml:0.16-rc pipeline-aws:1.43 pipeline-build-step:496.v2449a_9a_221f2 pipeline-github:2.8-147.3206e8179b1c pipeline-github-lib:42.v0739460cda_c4 pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7 pipeline-input-step:468.va_5db_051498a_4 pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2141.v5402e818a_779 pipeline-model-definition:2.2141.v5402e818a_779 pipeline-model-extensions:2.2141.v5402e818a_779 pipeline-multibranch-defaults:2.1 pipeline-rest-api:2.32 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2141.v5402e818a_779 pipeline-stage-view:2.32 pipeline-timeline:1.0.3 pipeline-utility-steps:2.15.4 plain-credentials:143.v1b_df8b_d3b_e48 plugin-util-api:3.3.0 popper-api:1.16.1-3 prism-api:1.29.0-7 prometheus:2.2.3 pubsub-light:1.17 purge-job-history:1.6 rebuild:320.v5a_0933a_e7d61 resource-disposer:0.22 role-strategy:633.v836e5b_3e80a_5 run-condition:1.5 s3:0.12.3445.vda_704535b_5a_d saml:4.418.vdfa_7489a_b_a_2d scm-api:672.v64378a_b_20c60 scm-filter-branch-pr:61.v45f2e5f81fde script-security:1251.vfe552ed55f8d sidebar-link:2.2.2 slack:664.vc9a_90f8b_c24a_ snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4 splunk-devops:1.10.1 sse-gateway:1.26 ssh-agent:333.v878b_53c89511 ssh-credentials:305.v8f4381501156 ssh-slaves:2.877.v365f5eb_a_b_eec ssh-steps:2.0.65.vd26b_5b_9b_de4d sshd:3.303.vefc7119b_ec23 startup-trigger-plugin:2.9.3 structs:324.va_f5d6774f3a_d timestamper:1.25 token-macro:359.vb_cde11682e0c trilead-api:2.84.v72119de229b_7 variant:59.vf075fe829ccb warnings-ng:10.2.0 webhook-step:173.vfa_b_93560b_977 workflow-aggregator:596.v8c21c963d92d workflow-api:1213.v646def1087f9 workflow-basic-steps:1017.vb_45b_302f0cea_ workflow-cps:3691.v28b_14c465a_b_b_ workflow-cps-global-lib:609.vd95673f149b_b workflow-durable-task-step:1247.v7f9dfea_b_4fd0 workflow-job:1308.v58d48a_763b_31 workflow-multibranch:756.v891d88f2cd46 workflow-scm-step:415.v434365564324 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:839.v35e2736cfd5c ws-cleanup:0.45 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu. Everywhere.

Reproduction steps

All I need is the plugin installed, but with an agent that is firewall-blocked.

Consider an iptables approach with a CIDr block to shut off internet access on that agent (while still permitting access to the jenkins controller).

Expected Results

I expect it to fail. Or frankly, I expect to be able to assign a GitHub URL of my internal server. Maybe have the server implied based on my scm configuration of the build, and no error happens.

Actual Results

[GitHub Checks] Failed Publishing GitHub checks: java.io.IOException: GitHub Enterprise server (https://api.github.com) with private mode enabled

Anything else?

There needs to be an input parameter. Publishing to the public website is a huge leak of proprietary information. Is it really doing this??

macetw commented 1 year ago

Suggest another improvement, that the url is shown on the success output: [GitHub Checks] GitHub check (name: Jenkins, status: in_progress) has been published.

timja commented 1 year ago

I expect your instance is misconfigured somewhere, you need to set the right API url. You can override it on your GitHub app credential I think

enravi commented 1 year ago

The error message indicates that the GitHub Checks plugin in your Jenkins environment is attempting to publish GitHub checks to the public GitHub API, but it is failing due to the restricted internet access on your Jenkins workstation.

To prevent these builds from failing and ensure that the plugin does not inadvertently publish information about your internal builds to public or corporate resources, consider the following steps:

  1. Configure GitHub Enterprise Server URL: Ensure that the plugin is configured to use your internal GitHub Enterprise Server URL instead of the public GitHub API. To do this:

    • Access your Jenkins dashboard.
    • Navigate to "Manage Jenkins" in the left sidebar.
    • Click on "Configure System."
    • Scroll down to the section related to the GitHub Checks plugin.
    • In the "GitHub Enterprise API URL" field, specify the URL of your internal GitHub Enterprise Server.

    This configuration will direct the GitHub Checks plugin to communicate exclusively with your internal GitHub server.

  2. Agent Firewall Configuration: If one of your Jenkins agents is blocked from accessing the public internet, consider implementing firewall rules to control its internet access. You can block outgoing connections to external domains while permitting connections to the Jenkins controller.

    Here is an example of how to configure iptables to restrict internet access on the agent:

    # Allow outgoing connections to the Jenkins controller (replace 1.2.3.4 with the controller's IP)
iptables -A OUTPUT -d 1.2.3.4 -j ACCEPT
# Block all other outgoing connections
iptables -A OUTPUT -j DROP

By implementing these rules, you can ensure that the GitHub Checks plugin on the agent can only communicate with the Jenkins controller.

  1. Plugin Configuration Check: Double-check the configuration of the GitHub Checks plugin to ensure it is correctly set up and not configured to use the public GitHub API unintentionally.

By following these steps and making sure the GitHub Checks plugin is configured correctly, you can prevent build failures and avoid leaking proprietary information to public resources.

timja commented 1 year ago

Thanks for trying to help enravi but I'm assuming that's AI generated and it's incorrect. There is no GitHub checks configuration section

I've double checked and yes the api url needs setting on the GitHub App credential (in the advanced settings for the credential)

https://github.com/jenkinsci/github-checks-plugin/blob/8d1713321e3db97eb07ff398400fb80efc5f6c24/src/main/java/io/jenkins/plugins/checks/github/GitHubChecksPublisher.java#L77-L79

enravi commented 1 year ago

Thank you for the clarification. It appears that the GitHub Checks plugin relies on the API URL configured within the GitHub App credential settings for its behavior.