On Fri 11 Jan 2019 at 06:28, Joan Touzet <woh...@apache.org> wrote: > > > I believe this is the missing piece for Jenkins CI. > > > > Nope. Though configuring the behaviour for untrusted refs is a bit of > > a dark magic. For one the Authorize Project plugin was implemented > > without anyone paying attention to the permissions stuff in the > > Credentials plugin... so there are some minor pitfalls there... > > mostly around people not actually understanding what the different > > credentials stores are for. Then the SCM API trusted refs stuff is > > poorly understood... and finally on top of all that Pipeline > > currently runs the Groovy script on the master so you cannot verify > > untrusted refs that change the Jenkinsfile while having the security > > protections. > > > > But you can most certainly set up Jenkins to have access to a user's > > deployment credentials when triggered by the user wanting to deploy > > while preventing PRs from accessing those credentials... However it > > probably requires a Jenkins Ninja such as myself, KK, Jesse or Oleg > > to set it up! > > > > New initiatives in Jenkins will help make these things accessible to > > people not intimately aware of the finer details of how Jenkins > > works > > I'm willing to believe that Jenkins, the software, is incapable of
I assume you meant capable rather than incapable. > this, though more detail would be nice rather than just "trust me, > it's hard." I’ll see if I can write up a blog post on it... i’m Sure my employer wouldn’t object to me writing it on company time... given our major product ;-) > > What about buildbot? Or another technology we could use with INFRA's > support? Last time I looked at buildbot, its integration with Docker > was very poor. > > I don't have any special attachment to Jenkins. > > -Joan > -- Sent from my phone
