Fix GitHub App token expiry on Windows static agents

[pruthviraja]

Summary

Fixes #1515

On Windows, git credential helpers (wincred / git-credential-manager) cache GitHub App installation tokens in Windows Credential Manager and serve them directly on subsequent Git operations, bypassing GIT_ASKPASS entirely. This causes Authentication failed errors every ~1 hour on permanent Windows nodes even though Jenkins correctly generates a fresh token.

Root cause: PR #291 fixed token refresh for Linux static agents via DelegatingGitHubAppCredentials. On Linux, Git always calls GIT_ASKPASS to get credentials. On Windows, Git checks Windows Credential Manager first — if a cached entry exists it never calls GIT_ASKPASS, so the expired cached token is used instead of the fresh one Jenkins prepared.

Observed pattern from the field:

Build 7  ✅ 1:19 PM  (token generated)
Build 14 ❌ 2:34 PM  (~1hr 15min later — token expired in WCM)
Build 15 ✅ 2:35 PM  (immediate retry — fresh token)
Build 16 ❌ 4:12 PM  (~1hr 37min later — token expired again)
Build 17 ✅ 4:12 PM  (immediate retry — fresh token)

Fix

Inside DelegatingGitHubAppCredentials.getPassword() (runs on the agent JVM), after obtaining a fresh token, detect Windows via os.name and run:

cmdkey /delete:git:https://<host>
cmdkey /delete:LegacyGenericCredential:https://<host>

This evicts the stale cached entry so Git falls through to GIT_ASKPASS and uses the fresh token Jenkins provides. Both the modern (git:) and legacy (LegacyGenericCredential:) key formats are cleared to cover all Windows Git credential helper variants.

The clearing is:

• No-op when WCM has no entry for that host (cmdkey exits 1, silently ignored)
• Skipped entirely on non-Windows agents (Linux, macOS)
• Skipped on ephemeral agents where WCM is empty at startup anyway

Changes

• GitHubAppCredentials.java

  • CLEAR_WINDOWS_CREDENTIAL_MANAGER_CACHE — public flag (default true), disableable from script console without redeployment
  • windowsCredentialCleaner — replaceable Consumer<String> so tests never invoke cmdkey
  • deriveGitHostFromApiUri() — maps https://api.github.com → github.com; passes GHE host through unchanged
  • clearWindowsCredentialManagerCache() — clears both WCM key formats
  • DelegatingGitHubAppCredentials.apiUri — stored in plaintext (not sensitive) for host derivation on the agent
  • DelegatingGitHubAppCredentials.getPassword() — calls cache clearing after token refresh, outside the synchronized block

• GithubAppCredentialsWindowsAgentTest.java (new)

  • Unit tests for deriveGitHostFromApiUri() (standard GitHub, GHE, port, malformed URI, empty)
  • Unit tests for clearWindowsCredentialManagerCache() key format and flag behaviour
  • Uses a recording stub for windowsCredentialCleaner — runs on any OS, never invokes cmdkey

Verification

Tested on GKE Jenkins controller with a permanent Windows agent (Git 2.51.0.windows.2). Agent log after triggering token refresh:

Cleared Windows Credential Manager entry: git:https://github.com (exit: 0)
Cleared Windows Credential Manager entry: LegacyGenericCredential:https://github.com (exit: 1)

Exit 0 = entry evicted. Exit 1 on LegacyGenericCredential = key not present (normal — this Windows agent uses the modern git: format only). Both checkouts succeeded after the 60s stale threshold was crossed.

Backwards compatibility

Scenario	Behaviour
Linux / macOS agents	os.name check fails — no cmdkey call, zero change
Ephemeral Windows agents	WCM is empty at pod startup; cmdkey /delete is a no-op (exit 1)
GHE instances	deriveGitHostFromApiUri extracts GHE host correctly
cmdkey not on PATH	Exception caught, logged at WARNING, build continues
Opt-out	Set GitHubAppCredentials.CLEAR_WINDOWS_CREDENTIAL_MANAGER_CACHE=false via system property or script console

[pruthviraja]

Hi maintainers — could someone please trigger CI and review this?
This fixes a real production issue on Windows static agents where GitHub App
tokens expire every ~1 hr. Happy to address any feedback.