background
I received a request before, asking to use jenkins to support custom commands to check out the git code warehouse, and to automatically add the user password, and also require the user password to be invisible. Hmm... interesting, in this case, the method generated by jenkins is not 流水线语法生成器very checkout()good applied
method one.gitUsernamePassword凭据变量方式
Through gitUsernamePasswordmethod 1 , the identity can be automatically identified when executing the git command, but this method requires the git plug-in version of jenkins to be 4.8.1above, and the latest version of the jenkins git:4.12.2plug-in requires the jenkins version. 2.332.4If the git plug-in is directly upgraded on jenkins, it may not be compatible, and It will cause the pipeline to be unavailable. If you have to try to upgrade the jenkins plug-in, it is not impossible. It is best to back up the $JENKINS_HOMEfollowing pluginsdirectory first to avoid problems that cannot be recovered in jenkins
Examples are as follows:
withCredentials([gitUsernamePassword(credentialsId: 'my-credentials-id', gitToolName: 'git-tool')]) {
sh 'git fetch --all'
}
Method 2, withCredentials manually add account secrets through environment variables
After repeated attempts, we finally realized the way to automatically add and hide account secrets in the git checkout command, among which ${CERT_ID}are custom credentials, checkoutCmdwhich are custom checkout command parameters
withCredentials([usernamePassword(credentialsId: "${CERT_ID}", usernameVariable: 'username', passwordVariable: 'password')]) {
//获取http或https开头的域名, 例如http://gitlab.com/project.git 截取为gitlab.com
def domain=sh(script: ''' echo '${checkoutCmd}' | grep -Eo '(https?://)[^/]+' |head -n 1 | awk -F '://' '{print \$2}' ''', returnStdout: true).trim()
//在域名中加上用户密码,组成user:[email protected]"这种格式
passWithDomain="${username}:${password}@${domain}"
//替换后检出命令
checkoutCmd=checkoutCmd.replaceAll(domain,passWithDomain)
//set +x关闭日志输出避免输出用户密码, 参考 https://www.jenkins.io/doc/pipeline/steps/credentials-binding
sh '''
set +x
${checkoutCmd}
'''
}
I originally wanted to analyze the code logic of the jenkins git plug-in to see if there is a better way to implement it. The code logic of the jenkins git:4.12.2plug-in 2auth.sh binding account secret is as follows. It seems that a temporary file will be generated under the workspace , but I still don’t know this how the file is used
@Override
protected FilePath write(StandardUsernamePasswordCredentials credentials, FilePath workspace)
throws IOException, InterruptedException {
FilePath gitEcho;
//Hard Coded platform dependent newLine
if (this.unixNodeType) {
gitEcho = workspace.createTempFile("auth", ".sh");
// [#!/usr/bin/env sh] to be used if required, could have some corner cases
gitEcho.write("case $1 in\n"
+ " Username*) echo " + this.userVariable
+ " ;;\n"
+ " Password*) echo " + this.passVariable
+ " ;;\n"
+ " esac\n", null);
gitEcho.chmod(0500);
} else {
gitEcho = workspace.createTempFile("auth", ".bat");
gitEcho.write("@ECHO OFF\r\n"
+ "SET ARG=%~1\r\n"
+ "IF %ARG:~0,8%==Username (ECHO " + this.userVariable + ")\r\n"
+ "IF %ARG:~0,8%==Password (ECHO " + this.passVariable + ")", null);
}
return gitEcho;
}