I was using the "From users with Admin or Write" permission for "Discover pull requests from forks". A random user opened a PR from their fork against our github.com/keybase/kbfs repository, and Jenkins built it. I'd have expected Jenkins not to build it.

      The description:

      Pull requests forks will be treated as trusted if and only if the fork owner has either Admin or Write permissions on the origin repository. Note that this strategy requires the Review a user's permission level API, as a result on GitHub Enterprise Server versions before 2.12 this is the same as trusting Nobody.

       

      Our repositories are open source, so we allow anyone to see them. But only a small set of users have Admin or Write permissions. And yet we had a random user create a pull request, and it got built by Jenkins.

      I've now set the fork permission to "Nobody".

          [JENKINS-48848] Discover permissions check doesn't work

          John Zila created issue -
          Andrew Bayer made changes -
          Link New: This issue is duplicated by JENKINS-52706 [ JENKINS-52706 ]

            Unassigned Unassigned
            jzila John Zila
            Votes:
            8 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: