Combines a Git credential helper with a chinmina-bridge helper
agent to allow Buildkite agents securely authorize Github
repository access.
The plugin contains a Git credential helper, enabled for the current step via an
environment hook.
The credential helper calls chinmina-bridge when credentials for a GitHub
repository are requested, supplying the result to Git in its expected format.
Important
Refer to the Chinmina documentation for detailed information about configuring and using this plugin effectively.
While this plugin can be used as a regular Buildkite plugin, it must be enabled on every step. This includes any steps configured in the pipeline configuration. This is difficult to implement and maintain; hence the strategy suggested.
Add the following to your pipeline.yml:
steps:
- command: ls
plugins:
- chinmina/chinmina-git-credentials#v1.1.0:
chinmina-url: "https://chinmina-bridge-url"
audience: "chinmina:your-github-organization"The URL of the chinmina-bridge helper agent that vends a
token for a pipeline. This is a separate HTTP service that must accessible to
your Buildkite agents.
Default: chinmina:default
The value of the aud claim of the OIDC JWT that will be sent to
chinmina-bridge. This must correlate with the value
configured in the chinmina-bridge settings.
A recommendation: chinmina:your-github-organization. This is specific
to the purpose of the token, and also scoped to the GitHub organization that
tokens will be vended for. chinmina-bridge's GitHub app is configured for a
particular GitHub organization/user, so if you have multiple organizations,
multiple agents will need to be running.
Run tests and plugin linting locally using docker compose:
# Buildkite plugin linter
docker-compose run --rm lint
# Bash tests
docker-compose run --rm testsContributions are welcome! Raise a PR, and include tests with your changes.
- Fork the repo
- Make the changes
- Run the tests and linter
- Commit and push your changes
- Send a pull request