-
Bug
-
Resolution: Unresolved
-
Critical
-
None
I was using the "From users with Admin or Write" permission for "Discover pull requests from forks". A random user opened a PR from their fork against our github.com/keybase/kbfs repository, and Jenkins built it. I'd have expected Jenkins not to build it.
The description:
Pull requests forks will be treated as trusted if and only if the fork owner has either Admin or Write permissions on the origin repository. Note that this strategy requires the Review a user's permission level API, as a result on GitHub Enterprise Server versions before 2.12 this is the same as trusting Nobody.
Our repositories are open source, so we allow anyone to see them. But only a small set of users have Admin or Write permissions. And yet we had a random user create a pull request, and it got built by Jenkins.
I've now set the fork permission to "Nobody".
- is duplicated by
-
JENKINS-52706 GitHub org trust level not honored for PRs from forks
-
- Resolved
-
This is an interesting one - the implementation is actually intended to block running any changes in the Jenkinsfile from an untrusted fork, instead using the merge target's Jenkinsfile unchanged, rather than blocking building of an untrusted fork's PR entirely. But that does seem to be a worthwhile feature to consider adding.