kie-issues#727: define push GH tokens for jenkins

.ci/jenkins/Jenkinsfile.deploy

@@ -316,7 +316,7 @@ void checkoutRepo(String repo, String dirName = repo) {
         if (params.PR_TARGET_BRANCH) {
             githubscm.checkoutIfExists(repo, getGitAuthor(), getBuildBranch(), 'apache', getFallbackBranch(repo), true)
         } else {
-            checkout(githubscm.resolveRepository(repo, getGitAuthor(), getBuildBranch(), false))
+            checkout(githubscm.resolveRepository(repo, getGitAuthor(), getBuildBranch(), false, getGitAuthorCredsId()))
         }
     }
 }
@@ -327,7 +327,7 @@ void checkoutQuickstarts(String dirName = quickstartsRepository) {
         if (params.PR_TARGET_BRANCH) {
             githubscm.checkoutIfExists(quickstartsRepository, getGitAuthor(), getBuildBranch(), 'apache', getQuickStartsBranch(), true)
         } else {
-            checkout(githubscm.resolveRepository(quickstartsRepository, getGitAuthor(), getQuickStartsBranch(), false))
+            checkout(githubscm.resolveRepository(quickstartsRepository, getGitAuthor(), getQuickStartsBranch(), false, getGitAuthorCredsId()))
         }
     }
 }
@@ -358,10 +358,10 @@ void commitAndCreatePR(String folder, String repo, String buildBranch) {
             githubscm.findAndStageNotIgnoredFiles('build.gradle')
             githubscm.findAndStageNotIgnoredFiles('antora.yml')
         })
-        githubscm.pushObject('origin', getPRBranch(), getGitAuthorCredsID())
+        githubscm.pushObject('origin', getPRBranch(), getGitAuthorPushCredsId())
         deployProperties["${repo}.pr.link"] = isRelease() ?
-                githubscm.createPRWithLabels(commitMsg, prBody, buildBranch, ['DO_NOT_MERGE'] as String[], getGitAuthorCredsID()) :
-                githubscm.createPR(commitMsg, prBody, buildBranch, getGitAuthorCredsID())
+                githubscm.createPRWithLabels(commitMsg, prBody, buildBranch, ['DO_NOT_MERGE'] as String[], getGitAuthorCredsId()) :
+                githubscm.createPR(commitMsg, prBody, buildBranch, getGitAuthorCredsId())
     }
 }
 
@@ -478,8 +478,12 @@ String getGitAuthor() {
     return "${GIT_AUTHOR}"
 }
 
-String getGitAuthorCredsID() {
-    return env.AUTHOR_CREDS_ID
+String getGitAuthorCredsId() {
+    return env.GIT_AUTHOR_CREDS_ID
+}
+
+String getGitAuthorPushCredsId() {
+    return env.GIT_AUTHOR_PUSH_CREDS_ID
 }
 
 String getBuildBranch() {

.ci/jenkins/Jenkinsfile.promote

@@ -61,11 +61,11 @@ pipeline {
                         mergeAndPush(getDeployPrLink(optaplannerRepository))
                         tagLatest()
 
-                        if(githubscm.isReleaseExist(getGitTag(), getGitAuthorCredsID())) {
-                            githubscm.deleteRelease(getGitTag(), getGitAuthorCredsID())
+                        if(githubscm.isReleaseExist(getGitTag(), getGitAuthorCredsId())) {
+                            githubscm.deleteRelease(getGitTag(), getGitAuthorCredsId())
                         }
-                        githubscm.createReleaseWithGeneratedReleaseNotes(getGitTag(), getBuildBranch(), githubscm.getPreviousTagFromVersion(getGitTag()), getGitAuthorCredsID())
-                        githubscm.updateReleaseBody(getGitTag(), getGitAuthorCredsID())
+                        githubscm.createReleaseWithGeneratedReleaseNotes(getGitTag(), getBuildBranch(), githubscm.getPreviousTagFromVersion(getGitTag()), getGitAuthorCredsId())
+                        githubscm.updateReleaseBody(getGitTag(), getGitAuthorCredsId())
                     }
                 }
             }
@@ -79,11 +79,11 @@ pipeline {
                         mergeAndPush(getDeployPrLink(quickstartsRepository))
                         tagLatest()
 
-                        if(githubscm.isReleaseExist(getGitTag(), getGitAuthorCredsID())) {
-                            githubscm.deleteRelease(getGitTag(), getGitAuthorCredsID())
+                        if(githubscm.isReleaseExist(getGitTag(), getGitAuthorCredsId())) {
+                            githubscm.deleteRelease(getGitTag(), getGitAuthorCredsId())
                         }
-                        githubscm.createReleaseWithGeneratedReleaseNotes(getGitTag(), getBuildBranch(), githubscm.getPreviousTagFromVersion(getGitTag()), getGitAuthorCredsID())
-                        githubscm.updateReleaseBody(getGitTag(), getGitAuthorCredsID())
+                        githubscm.createReleaseWithGeneratedReleaseNotes(getGitTag(), getBuildBranch(), githubscm.getPreviousTagFromVersion(getGitTag()), getGitAuthorCredsId())
+                        githubscm.updateReleaseBody(getGitTag(), getGitAuthorCredsId())
                     }
                 }
             }
@@ -195,8 +195,12 @@ String getGitAuthor() {
     return env.GIT_AUTHOR
 }
 
-String getGitAuthorCredsID() {
-    return env.AUTHOR_CREDS_ID
+String getGitAuthorCredsId() {
+    return env.GIT_AUTHOR_CREDS_ID
+}
+
+String getGitAuthorPushCredsId() {
+    return env.GIT_AUTHOR_PUSH_CREDS_ID
 }
 
 String getDeployPrLink(String repo) {
@@ -209,15 +213,15 @@ String getDeployPrLink(String repo) {
 
 void checkoutRepo(String repo) {
     deleteDir()
-    checkout(githubscm.resolveRepository(repo, getGitAuthor(), getBuildBranch(), false))
+    checkout(githubscm.resolveRepository(repo, getGitAuthor(), getBuildBranch(), false, getGitAuthorCredsId()))
     // need to manually checkout branch since on a detached branch after checkout command
     sh "git checkout ${getBuildBranch()}"
 }
 
 void mergeAndPush(String prLink, String targetBranch) {
     if (prLink != '') {
-        githubscm.mergePR(prLink, getGitAuthorCredsID())
-        githubscm.pushObject('origin', targetBranch, getGitAuthorCredsID())
+        githubscm.mergePR(prLink, getGitAuthorCredsId())
+        githubscm.pushObject('origin', targetBranch, getGitAuthorPushCredsId())
     }
 }
 
@@ -227,7 +231,7 @@ void mergeAndPush(String prLink) {
 
 void tagLatest() {
     if (getGitTag() != '') {
-        githubscm.tagLocalAndRemoteRepository('origin', getGitTag(), getGitAuthorCredsID(), env.BUILD_TAG, true)
+        githubscm.tagLocalAndRemoteRepository('origin', getGitTag(), getGitAuthorPushCredsId(), env.BUILD_TAG, true)
     }
 }
 

.ci/jenkins/Jenkinsfile.setup-branch

@@ -63,7 +63,7 @@ pipeline {
                                 githubscm.findAndStageNotIgnoredFiles('pom.xml')
                                 githubscm.findAndStageNotIgnoredFiles('antora.yml')
                             })
-                            githubscm.pushObject('origin', getBuildBranch(), getGitAuthorCredsId())
+                            githubscm.pushObject('origin', getBuildBranch(), getGitAuthorPushCredsId())
                         } else {
                             println '[WARN] no changes to commit'
                         }
@@ -106,7 +106,7 @@ void sendErrorNotification() {
 }
 
 void checkoutRepo(String repository, String branch) {
-    checkout(githubscm.resolveRepository(repository, getGitAuthor(), branch, false))
+    checkout(githubscm.resolveRepository(repository, getGitAuthor(), branch, false, getGitAuthorCredsId()))
     // need to manually checkout branch since on a detached branch after checkout command
     sh "git checkout ${branch}"
 }
@@ -129,7 +129,11 @@ String getOptaPlannerVersion() {
 }
 
 String getGitAuthorCredsId() {
-    return env.AUTHOR_CREDS_ID
+    return env.GIT_AUTHOR_CREDS_ID
+}
+
+String getGitAuthorPushCredsId() {
+    return env.GIT_AUTHOR_PUSH_CREDS_ID
 }
 
 MavenCommand getMavenCommand() {
@@ -144,14 +148,14 @@ boolean isMainBranch() {
 String commitAndCreatePR(String commitMsg, String localBranch, String targetBranch) {
     def prBody = "Generated by build ${BUILD_TAG}: ${BUILD_URL}"
     githubscm.commitChanges(commitMsg)
-    githubscm.pushObject('origin', localBranch, getGitAuthorCredsId())
+    githubscm.pushObject('origin', localBranch, getGitAuthorPushCredsId())
     return githubscm.createPR(commitMsg, prBody, targetBranch, getGitAuthorCredsId())
 }
 
 void mergeAndPush(String prLink, String targetBranch) {
     if (prLink?.trim()) {
         githubscm.mergePR(prLink, getGitAuthorCredsId())
-        githubscm.pushObject('origin', targetBranch, getGitAuthorCredsId())
+        githubscm.pushObject('origin', targetBranch, getGitAuthorPushCredsId())
     }
 }
 

.ci/jenkins/config/branch.yaml

@@ -41,9 +41,14 @@ git:
     # Need to be verified
     credentials_id: 399061d0-5ab5-4142-a186-a52081fef742
     token_credentials_id: ci-builds
+    push:
+      credentials_id: 84811880-2025-45b6-a44c-2f33bef30ad2 # CI Push Access for KIE
+      token_credentials_id: 41128c14-bb63-4708-9074-d20a318ee630 # GitHub Personal Access Token for KIE
   fork_author:
     name: kie-ci
     credentials_id: kie-ci
+    push:
+      credentials_id: kie-ci
   quarkus:
     author:
       name: quarkusio

.ci/jenkins/config/main.yaml

@@ -20,6 +20,8 @@ seed:
       author:
         name: apache
         credentials_id: ASF_Cloudbees_Jenkins_ci-builds
+        push:
+          credentials_id: 84811880-2025-45b6-a44c-2f33bef30ad2 # CI Push Access for KIE
       branch: main
     path: .ci/jenkins/config/branch.yaml
 jenkins:

.ci/jenkins/dsl/jobs.groovy

@@ -73,6 +73,8 @@ void setupProjectDroolsJob(String droolsBranch) {
         NOTIFICATION_JOB_NAME: 'Drools snapshot check',
         DROOLS_BRANCH: droolsBranch,
         MAVEN_SETTINGS_CONFIG_FILE_ID: "${MAVEN_SETTINGS_FILE_ID}",
+
+        GIT_AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
     ])
     KogitoJobTemplate.createPipelineJob(this, jobParams)?.with {
         parameters {
@@ -109,7 +111,7 @@ void setupProjectNightlyJob() {
 
         GIT_BRANCH_NAME: "${GIT_BRANCH}",
         GIT_AUTHOR: "${GIT_AUTHOR_NAME}",
-        AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
+        GIT_AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
 
         MAVEN_SETTINGS_CONFIG_FILE_ID: "${MAVEN_SETTINGS_FILE_ID}",
         ARTIFACTS_REPOSITORY: "${MAVEN_ARTIFACTS_REPOSITORY}",
@@ -156,8 +158,8 @@ void setupProjectPostReleaseJob() {
 
         GIT_AUTHOR: "${GIT_AUTHOR_NAME}",
 
-        AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
-        GITHUB_TOKEN_CREDS_ID: "${GIT_AUTHOR_TOKEN_CREDENTIALS_ID}",
+        GIT_AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
+        GIT_AUTHOR_PUSH_CREDS_ID: "${GIT_AUTHOR_PUSH_CREDENTIALS_ID}",
 
         MAVEN_SETTINGS_CONFIG_FILE_ID: "${MAVEN_SETTINGS_FILE_ID}",
         MAVEN_DEPENDENCIES_REPOSITORY: "${MAVEN_ARTIFACTS_REPOSITORY}",
@@ -257,7 +259,8 @@ void createSetupBranchJob() {
         JENKINS_EMAIL_CREDS_ID: "${JENKINS_EMAIL_CREDS_ID}",
 
         GIT_AUTHOR: "${GIT_AUTHOR_NAME}",
-        AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
+        GIT_AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
+        GIT_AUTHOR_PUSH_CREDS_ID: "${GIT_AUTHOR_PUSH_CREDENTIALS_ID}",
 
         MAVEN_SETTINGS_CONFIG_FILE_ID: "${MAVEN_SETTINGS_FILE_ID}",
 
@@ -303,8 +306,8 @@ void setupDeployJob(JobType jobType, String envName = '') {
         jobParams.env.putAll([
             GIT_AUTHOR: "${GIT_AUTHOR_NAME}",
 
-            AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
-            GITHUB_TOKEN_CREDS_ID: "${GIT_AUTHOR_TOKEN_CREDENTIALS_ID}",
+            GIT_AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
+            GIT_AUTHOR_PUSH_CREDS_ID: "${GIT_AUTHOR_PUSH_CREDENTIALS_ID}",
 
             MAVEN_DEPENDENCIES_REPOSITORY: "${MAVEN_ARTIFACTS_REPOSITORY}",
             MAVEN_DEPLOY_REPOSITORY: "${MAVEN_ARTIFACTS_REPOSITORY}",
@@ -364,8 +367,8 @@ void setupPromoteJob(JobType jobType) {
 
         GIT_AUTHOR: "${GIT_AUTHOR_NAME}",
 
-        AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
-        GITHUB_TOKEN_CREDS_ID: "${GIT_AUTHOR_TOKEN_CREDENTIALS_ID}",
+        GIT_AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
+        GIT_AUTHOR_PUSH_CREDS_ID: "${GIT_AUTHOR_PUSH_CREDENTIALS_ID}",
 
         MAVEN_SETTINGS_CONFIG_FILE_ID: "${MAVEN_SETTINGS_FILE_ID}",
         MAVEN_DEPENDENCIES_REPOSITORY: "${MAVEN_ARTIFACTS_REPOSITORY}",

.ci/jenkins/project/Jenkinsfile.drools

@@ -133,7 +133,7 @@ void sendErrorNotification() {
 
 void checkoutOptaplannerRepo() {
     dir(optaplannerRepo) {
-        checkout(githubscm.resolveRepository(optaplannerRepo, params.GIT_AUTHOR, getBuildBranch(), false))
+        checkout(githubscm.resolveRepository(optaplannerRepo, params.GIT_AUTHOR, getBuildBranch(), false, getGitAuthorCredsId()))
     }
 }
 
@@ -143,13 +143,13 @@ void checkoutOptaplannerQuickstartsRepo() {
             ? 'development' : getBuildBranch()
 
     dir(quickstartsRepo) {
-        checkout(githubscm.resolveRepository(quickstartsRepo, params.GIT_AUTHOR, quickstartsChangeTarget, false))
+        checkout(githubscm.resolveRepository(quickstartsRepo, params.GIT_AUTHOR, quickstartsChangeTarget, false, getGitAuthorCredsId()))
     }
 }
 
 void checkoutDroolsRepo() {
     dir(droolsRepo) {
-        checkout(githubscm.resolveRepository(droolsRepo, 'apache', getDroolsBranch(), false))
+        checkout(githubscm.resolveRepository(droolsRepo, 'apache', getDroolsBranch(), false, getGitAuthorCredsId()))
     }
 }
 
@@ -170,6 +170,10 @@ String getDroolsBranch() {
     return env['DROOLS_BRANCH'] ?: 'main'
 }
 
+String getGitAuthorCredsId() {
+    return env.GIT_AUTHOR_CREDS_ID
+}
+
 void cleanContainers() {
     cloud.cleanContainersAndImages('docker')
 }

.ci/jenkins/project/Jenkinsfile.nightly

@@ -183,21 +183,21 @@ String getGitAuthor() {
     return env.GIT_AUTHOR
 }
 
-String getGitAuthorCredsID() {
-    return env.AUTHOR_CREDS_ID
+String getGitAuthorCredsId() {
+    return env.GIT_AUTHOR_CREDS_ID
 }
 
 void checkoutNewBranch(String repo, String originBranch, String newBranch, String dirName = repo) {
     dir(dirName) {
         deleteDir()
-        checkout(githubscm.resolveRepository(repo, getGitAuthor(), originBranch, false))
+        checkout(githubscm.resolveRepository(repo, getGitAuthor(), originBranch, false, getGitAuthorCredsId()))
         sh "git checkout -b ${newBranch}"
     }
 }
 
 void forcePushBranch(String dirName, String branch) {
     dir(dirName) {
-        withCredentials([usernamePassword(credentialsId: getGitAuthorCredsID(), usernameVariable: 'GIT_USERNAME', passwordVariable: 'GIT_PASSWORD')]) {
+        withCredentials([usernamePassword(credentialsId: getGitAuthorCredsId(), usernameVariable: 'GIT_USERNAME', passwordVariable: 'GIT_PASSWORD')]) {
             // Please leave the double-quote here. They are mandatory for the shell command to work correctly.
             sh """
             git config --local credential.helper \"!f() { echo username=\\$GIT_USERNAME; echo password=\\$GIT_PASSWORD; }; f\"

.ci/jenkins/project/Jenkinsfile.post-release

@@ -124,7 +124,7 @@ pipeline {
         //             dir(websiteRepository) {
         //                 checkoutRepo(websiteRepository, 'main')
         //                 mergeAndPush(prLink, 'main')
-        //                 githubscm.removeRemoteBranch('origin', prBranchName, getGitAuthorCredsID())
+        //                 githubscm.removeRemoteBranch('origin', prBranchName, getGitAuthorPushCredsId())
         //             }
         //         }
         //     }
@@ -178,8 +178,12 @@ String getGitAuthor() {
     return env.GIT_AUTHOR
 }
 
-String getGitAuthorCredsID() {
-    return env.AUTHOR_CREDS_ID
+String getGitAuthorCredsId() {
+    return env.GIT_AUTHOR_CREDS_ID
+}
+
+String getGitAuthorPushCredsId() {
+    return env.GIT_AUTHOR_PUSH_CREDS_ID
 }
 
 String getSnapshotBranch() {
@@ -192,31 +196,31 @@ String getSnapshotBranch() {
 
 void checkoutRepo(String repo, String branch) {
     deleteDir()
-    checkout(githubscm.resolveRepository(repo, getGitAuthor(), branch, false))
+    checkout(githubscm.resolveRepository(repo, getGitAuthor(), branch, false, getGitAuthorCredsId()))
     // need to manually checkout branch since on a detached branch after checkout command
     sh "git checkout ${branch}"
 }
 
 void checkoutTag(String repo, String tagName, String localBranchName = tagName) {
     deleteDir()
-    checkout(githubscm.resolveRepository(repo, getGitAuthor(), getBuildBranch(), false))
+    checkout(githubscm.resolveRepository(repo, getGitAuthor(), getBuildBranch(), false, getGitAuthorCredsId()))
     // Need to manually checkout branch since we are in 'detached HEAD' state after the git checkout command.
     sh "git checkout tags/${tagName} -b ${localBranchName}"
 }
 
 void mergeAndPush(String prLink, String targetBranch) {
     if (prLink != '') {
-        githubscm.mergePR(prLink, getGitAuthorCredsID())
-        githubscm.pushObject('origin', targetBranch, getGitAuthorCredsID())
+        githubscm.mergePR(prLink, getGitAuthorCredsId())
+        githubscm.pushObject('origin', targetBranch, getGitAuthorPushCredsId())
     }
 }
 
 String commitAndCreatePR(String commitMsg, Closure precommit, String localBranch, String targetBranch) {
     def prBody = "Generated by build ${BUILD_TAG}: ${BUILD_URL}"
 
     githubscm.commitChanges(commitMsg, precommit)
-    githubscm.pushObject('origin', localBranch, getGitAuthorCredsID())
-    return githubscm.createPR(commitMsg, prBody, targetBranch, getGitAuthorCredsID())
+    githubscm.pushObject('origin', localBranch, getGitAuthorPushCredsId())
+    return githubscm.createPR(commitMsg, prBody, targetBranch, getGitAuthorCredsId())
 }
 
 void commitAndForcePushBranch(String repo, String branch) {
@@ -268,7 +272,7 @@ void removeJbossNexusFromMavenAndGradle() {
 }
 
 def forcePushBranch(String branch) {
-    withCredentials([usernamePassword(credentialsId: getGitAuthorCredsID(), usernameVariable: 'GIT_USERNAME', passwordVariable: 'GIT_PASSWORD')]) {
+    withCredentials([usernamePassword(credentialsId: getGitAuthorCredsId(), usernameVariable: 'GIT_USERNAME', passwordVariable: 'GIT_PASSWORD')]) {
         // Please leave the double-quote here. They are mandatory for the shell command to work correctly.
         sh """
             git config --local credential.helper \"!f() { echo username=\\$GIT_USERNAME; echo password=\\$GIT_PASSWORD; }; f\"