Brian J Murrell
I agree this is a problem. Tracking down where it is coming from is a bit more involved, partly because the basic-build-branch plugin currently often doesn't log output about what it observes. This means that I can't really tell from this output what is going on - why it is choosing to build these PRs instead of rejecting them.
Have you tried setting Trusted to "Nobody" as suggested here:
From what I see that results in the correct behavior, so for truly untrusted cases the filter seems to work:
Checking pull request#10
(not from a trusted source) ‘Jenkinsfile’ found Met criteria Changes detected: PR-10-head (badd9a4f697a55c573b4d4fbabb61870e8efa4ea → e9e963e7ebfd5a54874c8962a9108930edcbb421) Loading trusted files from base branch master at bc1bf622bedeb9a04debfa2236620eb0edac6dc6 rather than e9e963e7ebfd5a54874c8962a9108930edcbb421 No automatic build triggered for PR-10-head (not from a trusted source)
You could then specific users to still build for.
To be clear, there is a bug here and it should be fixed, but it will take some work to isolate.