-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
Same as JENKINS-58618
Using the same configuration as is detailed in JENKINS-58618, I am also finding that PRs that should not be built because they are from untrusted sources will get built during the Branch Indexing:
Checking pull request #814 (not from a trusted source) 'Jenkinsfile' found Met criteria Changes detected: PR-814 (null → [redacted]) Connecting to https://api.github.com to check permissions of obtain list of [redacted] for [redacted]/[redacted] Loading trusted files from base branch master at [redacted] rather than [redacted] Scheduled build for branch: PR-814
You can see that it was determined to be untrusted and reverted to the Jenkinsfile from the origin instead of the PR, but shouldn't the setting in:
https://issues.jenkins-ci.org/secure/attachment/48061/image-2019-07-23-10-30-22-210.png
mean that it's not even run at all?
brianjmurrell
I agree this is a problem. Tracking down where it is coming from is a bit more involved, partly because the basic-build-branch plugin currently often doesn't log output about what it observes. This means that I can't really tell from this output what is going on - why it is choosing to build these PRs instead of rejecting them.
Have you tried setting Trusted to "Nobody" as suggested here:
https://issues.jenkins-ci.org/browse/JENKINS-53752?focusedCommentId=373461&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-373461
From what I see that results in the correct behavior, so for truly untrusted cases the filter seems to work:
You could then specific users to still build for.
To be clear, there is a bug here and it should be fixed, but it will take some work to isolate.