-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JENKINS-46795] TrustworthyBuild
extension point
#180
base: master
Are you sure you want to change the base?
Conversation
return TrustworthyBuild.byCause(Cause.UserIdCause.class); | ||
} | ||
|
||
// TODO until github-checks can declare a dep on a sufficiently new scm-api |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
} | ||
try { | ||
var permission = Run.PERMISSIONS.find("Replay"); // ReplayAction.REPLAY | ||
if (permission == null) { // no workflow-cps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could be defined more modularly as an extension in workflow-cps
, but would be awkward since the rest of this impl would need to be duplicated, and ordinal
used to avoid printing misleading messages.
In practice the callers of getTrustedRevisionForBuild
are going to be in Pipeline code so I am not too concerned.
listener.getLogger().println("Not trusting build since no user name was recorded"); | ||
return false; | ||
} | ||
var user = User.getById(userId, false); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could pass true
but we expect the User
to have just been loaded anyway.
@Extension | ||
public static TrustworthyBuild byUserId() { | ||
return (build, listener) -> { | ||
var cause = build.getCause(Cause.UserIdCause.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While it should be rare, there can be multiple causes of the same type for a build that aren't collapsed into one entry. Whether a build is approved or not could depend on the (insertion) order of the CauseAction#causeBag
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there can be multiple causes of the same type for a build that aren't collapsed into one entry
The API does not prevent it but this ought never happen—it is the responsible of code triggering the build to pass at most one Cause
of any given type. At worst a build is not considered trusted when it could have been, so this does not seem like a problem in practice.
…into trust-JENKINS-46795
…uild (e.g., SCM trigger) where this does not matter (e.g., branch push) jenkinsci#180 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The behavior introduced here makes sense.
I am not too familiar with the design of SCM API so cannot really comment on whether the code is placed appropriately, but see nothing particularly wrong either.
Putting API on hold since there is active design conversation downstream. |
Where? It seems over in jenkinsci/workflow-multibranch-plugin#220 (comment) |
jenkinsci/workflow-multibranch-plugin#220 (comment)