Jarek>What credentials are you talking about? For instance, asfNexusUsername/asfNexusPassword (see https://cwiki.apache.org/confluence/display/INFRA/Gradle+Installations ) I assume there exists something like git-websites Jenkins node label that has privileges to update project site ( https://cwiki.apache.org/confluence/display/INFRA/Jenkins+node+labels )
Jarek>Not as long as the build cannot write to the github repository and modify Jarek>code. ASF Jenknis nodes are stateful, and they do have credentials of some kind. On top of that, a malicious build script plugin could use developer's credentials to make changes to the repositories. Vladimir
