Feature request
Request: Add support in Tekton Pipelines-as-Code (PAC) for using Bitbucket Data Center “project access tokens / project-level HTTP access tokens” (i.e., non-user, project-scoped tokens) when running pipelines-as-code in Bitbucket Data Center.
Why: Today, PAC’s Bitbucket Data Center provider documentation recommends using a Bitbucket Personal Access Token (PAT) with elevated permissions and notes constraints around the token-owning user (e.g., must be a licensed Bitbucket user for certain permission checks).
In many enterprises, using user-bound PATs is discouraged because they:
- Are coupled to an individual identity (lifecycle issues when the user leaves/changes roles).
- Require licensing and group membership workarounds.
- Are harder to audit/rotate consistently compared to dedicated integration tokens.
Bitbucket Data Center supports HTTP access tokens that can be created for users as well as teams working in projects and repositories, and explicitly supports project/repository level tokens (including Bearer authentication).
This is closer to Bitbucket Cloud’s project-level access token concept: a token tied to a project (not a user), intended for integrations and limited scopes with expiry.
For info at https://support.atlassian.com/bitbucket-cloud/docs/project-access-tokens/
https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html (read Create HTTP access tokens for projects or repositories)
Use case
Use case
We run Bitbucket Data Center and want to adopt Pipelines-as-Code with a “service identity” that is project-scoped rather than user-scoped.
Concrete scenario:
- A platform team manages PAC for ~50 repos inside a Bitbucket project.
- Security policy forbids long-lived, user-bound PATs for CI integrations.
- We want to use a project-level HTTP access token (created at the project level) to:
- Configure PAC webhooks / repository integration,
- Allow PAC to fetch repository content & update PR statuses/checks,
- Avoid coupling to a licensed user account.
Related issues
This issue is related with:
#2470 (given project tokens don't have any admin access)
#1338 (given project tokens make use of x-token-auth user were bearer authentication is the base64 encoded string of x-token-auth:<project-token> more info at https://support.atlassian.com/bitbucket-cloud/docs/using-access-tokens/ and https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html read Using HTTP access tokens)
Feature request
Request: Add support in Tekton Pipelines-as-Code (PAC) for using Bitbucket Data Center “project access tokens / project-level HTTP access tokens” (i.e., non-user, project-scoped tokens) when running pipelines-as-code in Bitbucket Data Center.
Why: Today, PAC’s Bitbucket Data Center provider documentation recommends using a Bitbucket Personal Access Token (PAT) with elevated permissions and notes constraints around the token-owning user (e.g., must be a licensed Bitbucket user for certain permission checks).
In many enterprises, using user-bound PATs is discouraged because they:
Bitbucket Data Center supports HTTP access tokens that can be created for users as well as teams working in projects and repositories, and explicitly supports project/repository level tokens (including Bearer authentication).
This is closer to Bitbucket Cloud’s project-level access token concept: a token tied to a project (not a user), intended for integrations and limited scopes with expiry.
For info at https://support.atlassian.com/bitbucket-cloud/docs/project-access-tokens/
https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html (read Create HTTP access tokens for projects or repositories)
Use case
Use case
We run Bitbucket Data Center and want to adopt Pipelines-as-Code with a “service identity” that is project-scoped rather than user-scoped.
Concrete scenario:
Related issues
This issue is related with:
#2470 (given project tokens don't have any admin access)
#1338 (given project tokens make use of x-token-auth user were bearer authentication is the base64 encoded string of
x-token-auth:<project-token>more info at https://support.atlassian.com/bitbucket-cloud/docs/using-access-tokens/ and https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html read Using HTTP access tokens)