On Fri 11 Jan 2019 at 07:28, Stephen Connolly < stephen.alan.conno...@gmail.com> wrote:
> > > On Fri 11 Jan 2019 at 06:28, Joan Touzet <woh...@apache.org> wrote: > >> > > I believe this is the missing piece for Jenkins CI. >> > >> > Nope. Though configuring the behaviour for untrusted refs is a bit of >> > a dark magic. For one the Authorize Project plugin was implemented >> > without anyone paying attention to the permissions stuff in the >> > Credentials plugin... so there are some minor pitfalls there... >> > mostly around people not actually understanding what the different >> > credentials stores are for. Then the SCM API trusted refs stuff is >> > poorly understood... and finally on top of all that Pipeline >> > currently runs the Groovy script on the master so you cannot verify >> > untrusted refs that change the Jenkinsfile while having the security >> > protections. >> > >> > But you can most certainly set up Jenkins to have access to a user's >> > deployment credentials when triggered by the user wanting to deploy >> > while preventing PRs from accessing those credentials... However it >> > probably requires a Jenkins Ninja such as myself, KK, Jesse or Oleg >> > to set it up! >> > >> > New initiatives in Jenkins will help make these things accessible to >> > people not intimately aware of the finer details of how Jenkins >> > works >> >> I'm willing to believe that Jenkins, the software, is incapable of > > > I assume you meant capable rather than incapable. > > >> this, though more detail would be nice rather than just "trust me, >> it's hard." > > > I’ll see if I can write up a blog post on it... i’m Sure my employer > wouldn’t object to me writing it on company time... given our major product > ;-) > Oh and I was actually aiming for “don’t feel bad if you don’t know how, it’s not immediately obvious” > >> >> What about buildbot? Or another technology we could use with INFRA's >> support? Last time I looked at buildbot, its integration with Docker >> was very poor. >> >> I don't have any special attachment to Jenkins. >> >> -Joan >> > -- > Sent from my phone > -- Sent from my phone
