-
Bug
-
Resolution: Fixed
-
Major
GitHub PRs for public repos were disabled in the 1.3 release due to concerns about untrusted Jenkinsfiles. While that's understandable, the result is that, well, this doesn't build PRs any more unless you're using a private repo, and that's unfortunate to say the least. This is especially inconvenient for a GitHub Enterprise use case, since "public repos" doesn't mean the same thing there.
- depends on
-
JENKINS-34596 Set visible flag when Jenkinsfile is taken from a trusted revision rather than PR head
-
- Resolved
-
- links to
[JENKINS-33256] Re-enable GitHub PR support for public repos
| Remote Link | New: This issue links to "workflow-plugin PR 244 (Web Link)" [ 14018 ] |
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
| Remote Link | New: This issue links to "scm-api-plugin PR 5 (Web Link)" [ 14019 ] |
| Labels | New: api security workflow |
Nah, it's definitely a bug, albeit one introduced for good reasons. =) Putting aside github.com public repo use cases, GitHub Enterprise behind-the-firewall use cases are basically all now broken, and "public" behind-the-firewall repos are basically equivalent to github.com private repos, so they shouldn't be restricted, IMO.
And fwiw, I like the idea of being able to say "just use the Jenkinsfile from the target branch" without worrying about who the author is in most cases. Obviously, for PRs with legit changes to the Jenkinsfile, that's a bit different, but the majority of use cases, etc.
abayer My initial proposal was to consider both private and public repos. In fact, thus is in 1.2. Anyway I'm sure we can find a better solutions. Thanks for your feedback.
Initial planned implementation: PRs to always be built; if the author of the PR has push permission to the origin repository (or, if this information is not easily available from GH, if they are a member of the same organization), build their Jenkinsfile as written; if not, use the Jenkinsfile from the target branch.
Possible add-on: a way to determine from Jenkinsfile whether it is coming from the PR branch or the target branch. I am not sure there is a real use case for this, though.