Allow using specific credentials for Checks #148
Description
What feature do you want to see added?
Currently, the Checks API uses the GitHub App credentials used to check out the code. We tested the GitHub Checks Plugin with one of our template pipelines (some linters, warningsNg, test coverage, etc.) and it consumed between 50-100 requests from the rate limit. Our rate limit is 15.000 / hour, so we could build ~150 builds per hour of this kind.
We provide a Jenkins instance for lots of users and rate limits are a serious issue. If the checks failed because the rate limit breaches, it wouldn't be such a big issue, but if the checks cause our rate limits to breach and as a result not even the checkouts work anymore, we definetly have an issue.
This could be solved by giving the possibility to define extra credentials for the checks plugin. This would decouple the rate limit of the checks from the more critical rate limit of checking out code.
This would also allow users to solve a security issue: If the App is no longer used to checkout code, it does no longer need permissions to the repository contents and could be reduced to having access to the Checks. In GitHub Enterprise, a GitHub App cannot be created by the user themself. We have to set it up and he can then add their own repository to it (limited to 100 repositories). This of course also grants all other users of the app access to his repository.
With the new feature, the user could use their own personal access token to checkout the code and use the GitHub App only for the checks.
Thanks for this plugin - it is very useful!
Upstream changes
No response