Checks fail if run on system locked out of public internet.

[macetw]

Jenkins and plugins versions report

If I run my builds with the GitHub Checks plugin installed but on a workstation that is blocked from the public internet, the build quickly fails with the error:

[GitHub Checks] Failed Publishing GitHub checks: java.io.IOException: GitHub Enterprise server (https://api.github.com) with private mode enabled

I definitely don't want our checks published to the public github API. These are proprietary internal builds.

2 questions:

1. How can I prevent these builds from failing?
2. And how can I prevent this plugin from publishing information about our internal builds to a public (or microsoft-corporate) resource?

Environment

Jenkins: 2.401.1
OS: Linux - 5.4.0-65-generic
Java: 11.0.19 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
ace-editor:1.1
amazon-ecr:1.114.vfd22430621f5
analysis-model-api:11.3.0
ansible:217.v1696cee03265
ansible-tower:0.16.0
ansicolor:1.0.2
ant:487.vd79d090d4ea_e
antisamy-markup-formatter:159.v25b_c67cd35fb_
apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5
artifactory:3.18.3
atlassian-bitbucket-server-integration:3.4.2
authentication-tokens:1.53.v1c90fd9191a_b_
aws-bucket-credentials:1.0.0
aws-credentials:191.vcb_f183ce58b_9
aws-global-configuration:108.v47b_fd43dfec6
aws-java-sdk:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-cloudformation:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-codebuild:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ec2:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ecr:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ecs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-efs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-elasticbeanstalk:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-iam:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-kinesis:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-logs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-minimal:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-sns:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-sqs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ssm:1.12.481-392.v8b_291cfcda_09
bitbucket:223.vd12f2bca5430
bitbucket-push-and-pull-request:2.8.3
bitbucket-scm-trait-commit-skip:0.4.0
blueocean:1.27.4
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.27.4
blueocean-commons:1.27.4
blueocean-config:1.27.4
blueocean-core-js:1.27.4
blueocean-dashboard:1.27.4
blueocean-display-url:2.4.2
blueocean-events:1.27.4
blueocean-git-pipeline:1.27.4
blueocean-github-pipeline:1.27.4
blueocean-i18n:1.27.4
blueocean-jwt:1.27.4
blueocean-personalization:1.27.4
blueocean-pipeline-api-impl:1.27.4
blueocean-pipeline-editor:1.27.4
blueocean-pipeline-scm-api:1.27.4
blueocean-rest:1.27.4
blueocean-rest-impl:1.27.4
blueocean-web:1.27.4
bootstrap4-api:4.6.0-6
bootstrap5-api:5.3.0-1
bouncycastle-api:2.28
branch-api:2.1109.vdf225489a_16d
build-name-setter:2.2.0
build-pipeline-plugin:1.5.8
build-timeout:1.31
built-on-column:1.4
caffeine-api:3.1.6-115.vb_8b_b_328e59d8
checks-api:2.0.0
cloudbees-bitbucket-branch-source:805.v7f97d29dc0f5
cloudbees-folder:6.815.v0dd5a_cb_40e0e
cobertura:1.17
code-coverage-api:4.7.0
command-launcher:100.v2f6722292ee8
commons-lang3-api:3.12.0-36.vd97de6465d5b_
commons-text-api:1.10.0-36.vc008c8fcda_7b_
conditional-buildstep:1.4.2
config-file-provider:938.ve2b_8a_591c596
configuration-as-code:1647.ve39ca_b_829b_42
copyartifact:705.v5295cffec284
credentials:1254.vb_96f366e7b_a_d
credentials-binding:604.vb_64480b_c56ca_
data-tables-api:1.13.4-1
delivery-pipeline-plugin:1.4.2
display-url-api:2.3.7
docker-commons:419.v8e3cd84ef49c
docker-workflow:563.vd5d2e5c4007f
durable-task:507.v050055d0cb_dd
ec2:2.0.7
echarts-api:5.4.0-5
email-ext:2.98
embeddable-build-status:385.vc95f94e91fb_3
envinject:2.901.v0038b_6471582
envinject-api:1.199.v3ce31253ed13
external-monitor-job:203.v683c09d993b_9
favorite:2.4.2
font-awesome-api:6.4.0-1
forensics-api:2.3.0
git:5.1.0
git-client:4.4.0
git-parameter:0.9.18
git-server:99.va_0826a_b_cdfa_d
github:1.37.1
github-api:1.314-431.v78d72a_3fe4c3
github-autostatus:3.6.2
github-branch-source:1725.vd391eef681a_e
github-checks:545.v79a_a_68b_ca_682
github-pr-comment-build:96.v9ff13b69dd66
global-slack-notifier:1.5
google-compute-engine:4.3.14
google-kubernetes-engine:0.8.8
google-oauth-plugin:1.0.8
gradle:2.8
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
hashicorp-vault-pipeline:1.4
hashicorp-vault-plugin:360.v0a_1c04cf807d
htmlpublisher:1.31
hubot-steps:95.va_30176518a_5a
instance-identity:142.v04572ca_5b_265
ionicons-api:56.v1b_1c8c49374e
ivy:2.5
jackson2-api:2.15.2-350.v0c2f3f8fc595
jacoco:3.3.3
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:233.vdc1a_ec702cff
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-8
jaxb:2.3.8-1
jdk-tool:66.vd8fa_64ee91b_d
jenkins-design-language:1.27.4
jjwt-api:0.11.5-77.v646c772fddb_0
job-dsl:1.84
jobConfigHistory:1212.vd4470d08ff12
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.7.0-1
jsch:0.2.8-65.v052c39de79b_2
junit:1207.va_09d5100410f
kubernetes:3937.vd7b_82db_e347b_
kubernetes-client-api:6.4.1-215.v2ed17097a_8e9
kubernetes-credentials:0.10.0
kubernetes-pipeline-devops-steps:1.6
ldap:682.v7b_544c9d1512
lockable-resources:1156.v5e9f897ece02
mailer:457.v3f72cb_e015e5
matrix-auth:3.1.8
matrix-project:789.v57a_725b_63c79
maven-plugin:3.22
mercurial:1260.vdfb_723cdcc81
metrics:4.2.18-439.v86a_20b_a_8318b_
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
momentjs:1.1.1
multibranch-build-strategy-extension:1.0.10
node-iterator-api:49.v58a_8b_35f8363
oauth-credentials:0.645.ve666a_c332668
okhttp-api:4.11.0-145.vcb_8de402ef81
pam-auth:1.10
parameterized-trigger:2.45
pipeline-as-yaml:0.16-rc
pipeline-aws:1.43
pipeline-build-step:496.v2449a_9a_221f2
pipeline-github:2.8-147.3206e8179b1c
pipeline-github-lib:42.v0739460cda_c4
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7
pipeline-input-step:468.va_5db_051498a_4
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2141.v5402e818a_779
pipeline-model-definition:2.2141.v5402e818a_779
pipeline-model-extensions:2.2141.v5402e818a_779
pipeline-multibranch-defaults:2.1
pipeline-rest-api:2.32
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2141.v5402e818a_779
pipeline-stage-view:2.32
pipeline-timeline:1.0.3
pipeline-utility-steps:2.15.4
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.3.0
popper-api:1.16.1-3
prism-api:1.29.0-7
prometheus:2.2.3
pubsub-light:1.17
purge-job-history:1.6
rebuild:320.v5a_0933a_e7d61
resource-disposer:0.22
role-strategy:633.v836e5b_3e80a_5
run-condition:1.5
s3:0.12.3445.vda_704535b_5a_d
saml:4.418.vdfa_7489a_b_a_2d
scm-api:672.v64378a_b_20c60
scm-filter-branch-pr:61.v45f2e5f81fde
script-security:1251.vfe552ed55f8d
sidebar-link:2.2.2
slack:664.vc9a_90f8b_c24a_
snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4
splunk-devops:1.10.1
sse-gateway:1.26
ssh-agent:333.v878b_53c89511
ssh-credentials:305.v8f4381501156
ssh-slaves:2.877.v365f5eb_a_b_eec
ssh-steps:2.0.65.vd26b_5b_9b_de4d
sshd:3.303.vefc7119b_ec23
startup-trigger-plugin:2.9.3
structs:324.va_f5d6774f3a_d
timestamper:1.25
token-macro:359.vb_cde11682e0c
trilead-api:2.84.v72119de229b_7
variant:59.vf075fe829ccb
warnings-ng:10.2.0
webhook-step:173.vfa_b_93560b_977
workflow-aggregator:596.v8c21c963d92d
workflow-api:1213.v646def1087f9
workflow-basic-steps:1017.vb_45b_302f0cea_
workflow-cps:3691.v28b_14c465a_b_b_
workflow-cps-global-lib:609.vd95673f149b_b
workflow-durable-task-step:1247.v7f9dfea_b_4fd0
workflow-job:1308.v58d48a_763b_31
workflow-multibranch:756.v891d88f2cd46
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:839.v35e2736cfd5c
ws-cleanup:0.45

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu. Everywhere.

Reproduction steps

All I need is the plugin installed, but with an agent that is firewall-blocked.

Consider an iptables approach with a CIDr block to shut off internet access on that agent (while still permitting access to the jenkins controller).

Expected Results

I expect it to fail. Or frankly, I expect to be able to assign a GitHub URL of my internal server. Maybe have the server implied based on my scm configuration of the build, and no error happens.

Actual Results

[GitHub Checks] Failed Publishing GitHub checks: java.io.IOException: GitHub Enterprise server (https://api.github.com) with private mode enabled

Anything else?

There needs to be an input parameter. Publishing to the public website is a huge leak of proprietary information. Is it really doing this??

[macetw]

Suggest another improvement, that the url is shown on the success output:
[GitHub Checks] GitHub check (name: Jenkins, status: in_progress) has been published.

[timja]

I expect your instance is misconfigured somewhere, you need to set the right API url. You can override it on your GitHub app credential I think

[timja]

Thanks for trying to help enravi but I'm assuming that's AI generated and it's incorrect.
There is no GitHub checks configuration section

---

I've double checked and yes the api url needs setting on the GitHub App credential (in the advanced settings for the credential)

github-checks-plugin/src/main/java/io/jenkins/plugins/checks/github/GitHubChecksPublisher.java

Lines 77 to 79 in 8d17133

	if (credentials instanceof GitHubAppCredentials) {
	apiUri = ((GitHubAppCredentials) credentials).getApiUri();
	}

[ravirajvanshi]

Thank you for the clarification. It appears that the GitHub Checks plugin relies on the API URL configured within the GitHub App credential settings for its behavior.