Figured out a workaround.
1. Write a scriptler script that approves pending scripts with a given identifier (we used something simple like '// SCRIPTLER AUTO APPROVE'). Thanks to sag47 for pointing me to the code to approve a script.
– Select 'Permission' option (Allow execution by user with RunScripts permission)
– Select 'Restriction' option (Script is always executed on Master)
– Script parameter: "approvalPrefix"
– Script:
import jenkins.model.Jenkins
def scriptApproval = Jenkins.instance.getExtensionList('org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval')[0]
def hashesToApprove = scriptApproval.pendingScripts.findAll{ it.script.startsWith(approvalPrefix) }.collect{ it.getHash() }
hashesToApprove.each {
scriptApproval.approveScript(it)
}
2. use the configure UI to add another step to your DSL seed job to run this scriptler script created in step 1
3. add '// SCRIPTLER AUTO APPROVE' at the top of any groovy script you want approved
If your DSL seed job is itself configured by DSL, complete steps 4-5
4. look at the config.xml generated by manually adding this step to your DSL seed job. You need to grab the value in the 'builderId' field
5. add the additional step to your DSL seed job to run this scriptler script created above in step 1.
– dsl for adding the step:
def approvePrefixParam = {
name 'approvalPrefix'
value '
}
configure { project ->
project / builders << 'org.jenkinsci.plugins.scriptler.builder.ScriptlerBuilder' {
builderId(<builderIdGrabbedFromXml>)
scriptId('approveGroovyScripts.groovy')
propagateParams(false)
parameters {
'org.jenkinsci.plugins.scriptler.config.Parameter' approvePrefixParam
}
}
}
I reverse engineered how script approvals work and automatically approve scripts via hashing. I didn't have time for an upstream fix for this and I don't know what it would be.