Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34596

Set visible flag when Jenkinsfile is taken from a trusted revision rather than PR head

    Details

    • Similar Issues:

      Description

      When pull requests are done from private repos in a github organization, for example: A develop will fork a repo, commit some changes then submit a pull request from the forked repo. In that case the files will be taken from organization instead of developer, so the tests actually run on the wrong code, they pass and the pull request in github gets marked as passing even though it was never actually tested.

      A way to know if the revision of the Jenkinsfile is not the same than the branch tip (a.k.a the Jenkinsfile comes from an untrusted brach) should be great.

      https://github.com/jenkinsci/github-branch-source-plugin/blob/a10e869ec3b653b05eb188bd1e4054211d32294f/src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java#L421-L433

        Attachments

          Issue Links

            Activity

            escoem Emilio Escobar created issue -
            amuniz Antonio Muñiz made changes -
            Field Original Value New Value
            Component/s github-branch-source-plugin [ 20858 ]
            Hide
            amuniz Antonio Muñiz added a comment -

            A possible solution would be to add an environment variable to env in SCMBinder#create.

            Show
            amuniz Antonio Muñiz added a comment - A possible solution would be to add an environment variable to env in SCMBinder#create .
            jglick Jesse Glick made changes -
            Link This issue is blocking JENKINS-33256 [ JENKINS-33256 ]
            jglick Jesse Glick made changes -
            Summary Add a way to know if the revision of the Jenkinsfile is not the same than the branch tip Set visible flag when Jenkinsfile is taken from a trusted revision rather than PR head
            jglick Jesse Glick made changes -
            Labels multibranch
            Hide
            jglick Jesse Glick added a comment -

            My plan is a little different: introduce a readTrusted step which would work without a checkout, retrieve the contents of a named file from the repository, and either load from the designated commit, if it were trustworthy, or fail if it were not.

            The case of failing a PR build in case the (untrusted) submitter modified Jenkinsfile would thus reduce to starting the (origin) Jenkinsfile with

            readTrusted 'Jenkinsfile'
            

            (ignoring the return value). But it could be used for other purposes too.

            Show
            jglick Jesse Glick added a comment - My plan is a little different: introduce a readTrusted step which would work without a checkout, retrieve the contents of a named file from the repository, and either load from the designated commit, if it were trustworthy, or fail if it were not. The case of failing a PR build in case the (untrusted) submitter modified Jenkinsfile would thus reduce to starting the (origin) Jenkinsfile with readTrusted 'Jenkinsfile' (ignoring the return value). But it could be used for other purposes too.
            Hide
            amuniz Antonio Muñiz added a comment -

            introduce a readTrusted step which would work without a checkout

            How is that going to work with GitSCMSource?

            Show
            amuniz Antonio Muñiz added a comment - introduce a readTrusted step which would work without a checkout How is that going to work with GitSCMSource ?
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            jglick Jesse Glick added a comment -

            Like Jenkinsfile itself, it uses a private workspace pending JENKINS-33273. Of course GitSCMSource does not implement getTrustedRevision so using this step would be pointless with that SCM source: all origin branches are trusted anyway.

            Show
            jglick Jesse Glick added a comment - Like Jenkinsfile itself, it uses a private workspace pending JENKINS-33273 . Of course GitSCMSource does not implement getTrustedRevision so using this step would be pointless with that SCM source: all origin branches are trusted anyway.
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-33273 [ JENKINS-33273 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "PR 10 (Web Link)" [ 14344 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-32400 [ JENKINS-32400 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep.java
            src/main/resources/org/jenkinsci/plugins/workflow/multibranch/Messages.properties
            src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/config.jelly
            src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/help-path.html
            src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/help.html
            src/test/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStepTest.java
            src/test/java/org/jenkinsci/plugins/workflow/multibranch/SCMBinderTest.java
            http://jenkins-ci.org/commit/workflow-multibranch-plugin/2f95b57358c45e2c9d4c7aa38261d7b5857a574d
            Log:
            [FIXED JENKINS-34596] Added readTrusted step.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep.java src/main/resources/org/jenkinsci/plugins/workflow/multibranch/Messages.properties src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/config.jelly src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/help-path.html src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/help.html src/test/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStepTest.java src/test/java/org/jenkinsci/plugins/workflow/multibranch/SCMBinderTest.java http://jenkins-ci.org/commit/workflow-multibranch-plugin/2f95b57358c45e2c9d4c7aa38261d7b5857a574d Log: [FIXED JENKINS-34596] Added readTrusted step.
            scm_issue_link SCM/JIRA link daemon made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep.java
            src/main/resources/org/jenkinsci/plugins/workflow/multibranch/Messages.properties
            src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/config.jelly
            src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/help-path.html
            src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/help.html
            src/test/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStepTest.java
            src/test/java/org/jenkinsci/plugins/workflow/multibranch/SCMBinderTest.java
            http://jenkins-ci.org/commit/workflow-multibranch-plugin/830a4e40559a7f242d1777f3f5e5ec774b106846
            Log:
            Merge pull request #10 from jglick/readTrusted-JENKINS-34596

            JENKINS-34596 Added readTrusted step

            Compare: https://github.com/jenkinsci/workflow-multibranch-plugin/compare/c2a40fe2ceb8...830a4e40559a

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep.java src/main/resources/org/jenkinsci/plugins/workflow/multibranch/Messages.properties src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/config.jelly src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/help-path.html src/main/resources/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStep/help.html src/test/java/org/jenkinsci/plugins/workflow/multibranch/ReadTrustedStepTest.java src/test/java/org/jenkinsci/plugins/workflow/multibranch/SCMBinderTest.java http://jenkins-ci.org/commit/workflow-multibranch-plugin/830a4e40559a7f242d1777f3f5e5ec774b106846 Log: Merge pull request #10 from jglick/readTrusted- JENKINS-34596 JENKINS-34596 Added readTrusted step Compare: https://github.com/jenkinsci/workflow-multibranch-plugin/compare/c2a40fe2ceb8...830a4e40559a
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 170756 ] JNJira + In-Review [ 198936 ]
            abayer Andrew Bayer made changes -
            Component/s pipeline-general [ 21692 ]
            abayer Andrew Bayer made changes -
            Component/s workflow-plugin [ 18820 ]

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                escoem Emilio Escobar
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: