Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
Description
If the permissions of an user are granted on organization membership rather than team membership. The PR from the user aren't considered trusted. But are considered if the user push directly to the repository.
Attachments
Issue Links
- is blocked by
-
JENKINS-43426
Refactor UX for GitHub and Bitbucket branch sources
-
- Closed
-
- is duplicated by
-
-
- Resolved
-
-
-
- Closed
-
-
JENKINS-37931 PR build can use PR's head/merge Jenkinsfile insted of master branch.
-
- Resolved
-
- is related to
-
JENKINS-37608 Configurability of GitHub Branch Source to use Scan User with only Read permission
-
- Resolved
-
- links to
- mentioned in
-
Page Loading...
Activity
| Field | Original Value | New Value |
|---|---|---|
| Remote Link | This issue links to "current poor implementation (Web Link)" [ 14597 ] |
| Workflow | JNJira [ 172934 ] | JNJira + In-Review [ 184836 ] |
| Link |
This issue is related to |
| Assignee | Jesse Glick [ jglick ] |
In my experiments, it does work, with one caveat: if the scan token does not have administrative permission on the repository, the result is a 404. Which means that JENKINS-37608 is not satisfiable without loss of functionality.
| Assignee | Jesse Glick [ jglick ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Remote Link | This issue links to "PR 96 (Web Link)" [ 15139 ] |
| Status | In Progress [ 3 ] | In Review [ 10005 ] |
Ryan Campbell
made changes -
| Link |
This issue is duplicated by |
Patrick Thiel
made changes -
| Comment |
[ Using a multibranch pipeline project with the latest SCM API 2.0 release, we have also noticed PR's from contributors getting flagged as untrusted sources.. Despite the PR author having admin privileges as a contributor and is the member of a Github team that also has Write permissions for the repository. To test this.. # Submit a PR with changes to a project's Jenkinsfile (add an echo or something) # Open up a PR and scan the repository. # Observe, In the scan log, your PR will look something like the following: {code} Checking pull request #1817 (not from a trusted source) Job name: PR-1817 ‘Jenkinsfile’ found Met criteria {code} Since it's not a trusted source, when building this pull request, Jenkins will revert to using the Jenkinsfile on the base branch.. The log in the Jenkins PR job will look like this: {code} Loading trusted files from base branch dev at {commit} rather than {commit} {code} Seems related to this issue. I can file another defect for this, but I wanted to check in here first. ] |
| Link |
This issue is duplicated by |
| Status | In Review [ 10005 ] | In Progress [ 3 ] |
| Labels | scm-api-tidy-scrub |
| Labels | scm-api-tidy-scrub | scm-api-tidy |
| Link |
This issue is blocked by |
| Remote Link | This issue links to "github-api PR 358 (Web Link)" [ 17116 ] |
Status: https://github.com/jenkinsci/github-branch-source-plugin/pull/148 is basically approved by Jesse (had one bit of feedback for a field that should not be configurable).
What is missing:
- testing with GH .com . Could have mock (possibly live? but very very expensive to test)
- Verifying if GHE can do this, or not yet?
| Labels | scm-api-tidy | cloudbees-internal-pipeline scm-api-tidy |
| Status | In Progress [ 3 ] | In Review [ 10005 ] |
| Assignee | Jesse Glick [ jglick ] | Andrew Bayer [ abayer ] |
abayer thought this may make sense in a future queue for you - at a juncture that makes sense (no urgency).
We have confirmed (but not tested) that this should work just fine with GHE (at least newer version) - so that bit is ok, but what we don't have is a strategy to test this. I know vivek has some experience in mocking various github things with reasonable effect to test, so that would be worth considering before merging this.
If automated testing is really not possible, then at least a documented test scenario in the README or something would help (and obviously trying it out) - and then the "poor implementation" could be merged in IMO.
Sound ok?
Code changed in jenkins
User: Stephen Connolly
Path:
src/main/java/org/jenkinsci/plugins/github_branch_source/ForkPullRequestDiscoveryTrait.java
src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java
src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSourceRequest.java
src/main/resources/org/jenkinsci/plugins/github_branch_source/ForkPullRequestDiscoveryTrait/TrustPermission/config.jelly
src/main/resources/org/jenkinsci/plugins/github_branch_source/ForkPullRequestDiscoveryTrait/TrustPermission/help-permission.html
src/main/resources/org/jenkinsci/plugins/github_branch_source/ForkPullRequestDiscoveryTrait/help-trust.html
src/main/resources/org/jenkinsci/plugins/github_branch_source/Messages.properties
http://jenkins-ci.org/commit/github-branch-source-plugin/c10b23bbe37efca325340c5ac65d6876d3fe7684
Log:
JENKINS-36240 Initial stab at rework
Code changed in jenkins
User: Stephen Connolly
Path:
src/main/java/org/jenkinsci/plugins/github_branch_source/ForkPullRequestDiscoveryTrait.java
src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubPermissionsSource.java
src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSource.java
src/main/java/org/jenkinsci/plugins/github_branch_source/GitHubSCMSourceRequest.java
http://jenkins-ci.org/commit/github-branch-source-plugin/3299bf5834078047e8461b3c53bf28c5115d3ff5
Log:
[FIXED JENKINS-36240] Full implementation
| Resolution | Fixed [ 1 ] | |
| Status | In Review [ 10005 ] | Resolved [ 5 ] |
| Assignee | Andrew Bayer [ abayer ] | Stephen Connolly [ stephenconnolly ] |
| Remote Link | This issue links to "Page (Jenkins Wiki)" [ 17306 ] |
| Link |
This issue is duplicated by |
| Status | Resolved [ 5 ] | Closed [ 6 ] |
| Remote Link | This issue links to "CloudBees Internal CD-154 (Web Link)" [ 19074 ] |
Good news: there is a new experimental endpoint which should give us exactly what we need.