For improved functionality, usability, and discoverability, we should complement readTrusted with

      • isTrusted: take an SCM path, return true normally, false if in a branch project where this file has been modified by an untrusted user
      • loadTrusted: like evaluate(readTrusted 'f') but producing a new block scope like the load step would

      On the UX front I think there was also a request to boldface the message about Jenkinsfile being pulled from the trusted branch rather than the PR branch, since this behavior can be surprising and is not immediately obvious from a plain text log. Ideally we could just turn this into an error in case Jenkinsfile had been modified, but that could be considered an incompatible change; perhaps it could be an advanced setting on the repo/org level, defaulting to failure for newly created projects. (We could also consider a fallback flag to readTrusted that would let a script use the same relaxed behavior when loading any SCM file: read from the trusted branch.)

          [JENKINS-45970] isTrusted & loadTrusted steps

          Jesse Glick added a comment -

          Would also like a pathless isTrusted() to just check whether the whole revision is from a trusted source or not. Looks like you could currently check env.CHANGE_FORK == null to behave differently on origin vs. fork PRs, which is not as good but maybe good enough as a workaround.

          Jesse Glick added a comment - Would also like a pathless isTrusted() to just check whether the whole revision is from a trusted source or not. Looks like you could currently check env.CHANGE_FORK == null to behave differently on origin vs. fork PRs, which is not as good but maybe good enough as a workaround.

            Unassigned Unassigned
            jglick Jesse Glick
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: