Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40652

origin pr builds not treated as trusted

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • github-branch-source-plugin
    • None
    • github-branch-source-plugin: 2.0.0-beta-1
      jenkins: 2.36

      When building PRs from origin (not forks), their Jenkinsfile is not treated as trusted and loaded from the base branch instead:

      Loading trusted files from base branch develop at 3ad383ee0eeffc92c9712dc8e3022c4b43a75c94 rather than 3e2b6e35cbf0fd2d4c029fcd23560f04b1976618

      Settings:

      [x] Build origin branches
      [x] Build origin PRs (unmerged head)

      IMHO any PR from origin should be treated as trusted. There is no issue with building their branches via "Build origin branches also filed as PRs".

          [JENKINS-40652] origin pr builds not treated as trusted

          Martin Ringehahn created issue -
          Martin Ringehahn made changes -
          Summary Original: origin pr builds treated as trusted New: origin pr builds not treated as trusted

          John Zila added a comment -

          +1. In my config this makes PR builds useless, because they're always building master.

          John Zila added a comment - +1. In my config this makes PR builds useless, because they're always building master.

          Patrick Thiel added a comment -

          +1.. This is pretty much a blocker for us. We were right in the middle of migrating to using Jenkinsfiles and multibranch pipelines when we encountered this.

          Basically, if you don't already have a Jenkinsfile merged to the base branch (say your PR contains a WIP Jenkinsfile, like in our case), then Jenkins throws an error stating no Jenkinsfile found. It's only loading trusted files from the base branch which at this point doesn't contain a jenkins file, so nothing runs.
          Here are some steps to reproduce that i posted in another comment:

          Using a multibranch pipeline project with the latest SCM API 2.0 release, we have also noticed PR's from contributors getting flagged as untrusted sources.. Despite the PR author having admin privileges as a contributor and is the member of a Github team that also has Write permissions for the repository.

          To test this..

          Build settings:
          [x] Build origin PRs (unmerged head)

          1. Submit a PR to origin base branch with changes to the Jenkinsfile (add an echo or something)
          2. Open up a PR and scan the repository.
          3. Observe, In the scan log, the source will appear untrusted
          4. Jenkins will checkout the base branch instead
          5. The base branch Jenkinsfile is executed

          The repository scan log looks like this:

              Checking pull request #1817
    (not from a trusted source)
    Job name: PR-1817
      ‘Jenkinsfile’ found
    Met criteria

          Jenkins PR job log:

          Loading trusted files from base branch dev at {commit} rather than {commit}

          Patrick Thiel added a comment - +1.. This is pretty much a blocker for us. We were right in the middle of migrating to using Jenkinsfiles and multibranch pipelines when we encountered this. Basically, if you don't already have a Jenkinsfile merged to the base branch (say your PR contains a WIP Jenkinsfile, like in our case), then Jenkins throws an error stating no Jenkinsfile found. It's only loading trusted files from the base branch which at this point doesn't contain a jenkins file, so nothing runs. Here are some steps to reproduce that i posted in another comment: Using a multibranch pipeline project with the latest SCM API 2.0 release, we have also noticed PR's from contributors getting flagged as untrusted sources.. Despite the PR author having admin privileges as a contributor and is the member of a Github team that also has Write permissions for the repository. To test this.. Build settings: [x] Build origin PRs (unmerged head) Submit a PR to origin base branch with changes to the Jenkinsfile (add an echo or something) Open up a PR and scan the repository. Observe, In the scan log, the source will appear untrusted Jenkins will checkout the base branch instead The base branch Jenkinsfile is executed The repository scan log looks like this: Checking pull request #1817 (not from a trusted source) Job name: PR-1817 ‘Jenkinsfile’ found Met criteria Jenkins PR job log: Loading trusted files from base branch dev at {commit} rather than {commit}
          Patrick Thiel made changes -
          Epic Link New: JENKINS-41234 [ 177999 ]

          marc young added a comment -

          I have the same issue. Linking https://issues.jenkins-ci.org/browse/JENKINS-37931

          marc young added a comment - I have the same issue. Linking https://issues.jenkins-ci.org/browse/JENKINS-37931
          marc young made changes -
          Link New: This issue is related to JENKINS-37931 [ JENKINS-37931 ]
          marc young made changes -
          Rank New: Ranked higher

          Daniel Beck added a comment -

          This issue predated SCM API 2.0.

          Daniel Beck added a comment - This issue predated SCM API 2.0.
          Daniel Beck made changes -
          Epic Link Original: JENKINS-41234 [ 177999 ]

            stephenconnolly Stephen Connolly
            chrono Martin Ringehahn
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: