- GitHub Branch Source Plugin: [1917.v9ee8a_39b_3d0d]
- Jenkins version: [2.541.3]
- Agent OS: Windows (static/permanent node)
- Git version: 2.51.0.windows.2
```\
</details>
### What Operating System are you using (both controller, and any agents involved in the problem)?
Linux (GKE - Google Kubernetes Engine)
Jenkins running as a containerized workload
Agents (where the problem occurs)
Windows - static/permanent nodes
Confirmed agent: jenkins-win
Git version: 2.51.0.windows.2
Agents (where it works fine)
Linux - dynamic/ephemeral agents
Token refresh works correctly on these
### Reproduction steps
1. Configure a Jenkins job using GitHub App credential
(credential type: GitHub App) for SCM checkout via HTTPS
2. Run the job successfully on a Windows static/permanent agent
3. Wait approximately 1 hour without triggering another build
(allowing the GitHub App installation token to expire)
4. Trigger the same job again on the same Windows static agent
5. Observe build failure at SCM checkout stage
### Expected Results
GitHub App installation token should be refreshed automatically before each build regardless of agent type or OS, consistent with the behaviour already working on Linux static agents (fixed in PR #291) and Linux ephemeral agents.
### Actual Results
Build fails at SCM checkout with:
remote: Invalid username or token.
Password authentication is not supported for Git operations.
fatal: Authentication failed for 'https://github.com/org/repo.git/'
The expired token is being cached in Windows Credential Manager via the GIT_ASKPASS mechanism and reused on subsequent builds without
refresh. An immediate manual retry always succeeds because it forces a new token generation.
Build history showing consistent ~1hr failure pattern:
Build 7 ✅ 1:19 PM (token generated)
Build 14 ❌ 2:34 PM (~1hr 15min later - token expired)
Build 15 ✅ 2:35 PM (immediate retry - fresh token)
Build 16 ❌ 4:12 PM (~1hr 37min later - token expired again)
Build 17 ✅ 4:12 PM (immediate retry - fresh token)
### Anything else?
Root cause suspected:
On Windows, GIT_ASKPASS delegates credential handling to Windows Credential Manager which caches the token. Unlike Linux, the Windows
Credential Manager cache is not invalidated between builds, causing the stale expired token to be reused.
PR #291 fixed token refresh for Linux static nodes but the fix does not cover Windows agents where credential caching behaviour is fundamentally different.
Current workaround applied in Jenkinsfile:
bat 'cmdkey /delete:LegacyGenericCredential:https://github.com || exit 0'
bat 'cmdkey /delete:git:https://github.com || exit 0'
This clears the Windows Credential Manager cache before each checkout forcing Jenkins to generate a fresh token. This confirms the cached
credential is the root cause.
Reference: PR #291 - https://github.com/jenkinsci/github-branch-source-plugin/pull/291
### Are you interested in contributing a fix?
Yes — the suspected fix would be in GitHubAppCredentials.java to add Windows-specific credential cache invalidation logic, mirroring what PR #291 did for Linux but accounting for the Windows Credential Manager behaviour differences with GIT_ASKPASS.
Happy to work on a PR with guidance from maintainers on the preferred approach.
Jenkins and plugins versions report
Environment